Act on the Protection of Personal Information(Act No. 57 of 2003)
Last Version: Act No. 37 of 2021
目次
履歴
-
▶本則
-
▶
-
▶
-
▶
-
▶第四章 個人情報取扱事業者等の義務等
-
▶
-
▶
-
▶
-
▶
-
▶
-
▶
-
-
▶第五章 行政機関等の義務等
-
▶
-
▶
-
▶
-
▶第四節 開示、訂正及び利用停止
-
▶
-
▶
-
▶
-
▶
-
▶
-
-
▶
-
▶
-
-
▶第六章 個人情報保護委員会
-
▶
-
▶第二節 監督及び監視
-
▶
-
▶
-
▶
-
-
▶
-
▶
-
-
▶
-
▶
-
-
令和5年3月1日
- 最終更新:令和三年法律第三十七号
- 翻訳日:令和3年11月5日
- 辞書バージョン:14.0
-
平成28年2月4日
- 最終更新:平成二十一年法律第四十九号
- 翻訳日:平成26年2月21日
- 辞書バージョン:8.0
-
平成21年3月31日
- 最終更新:平成十五年法律第百十九号
- 翻訳日:平成21年4月1日
- 辞書バージョン:1.0
Act on the Protection of Personal Information (Partly unenforced)
Act No. 57 of May 30, 2003
Table of Contents
Chapter I General Provisions (Articles 1 to 3)
Chapter II Responsibilities of the National and Local Governments (Articles 4 to 6)
Chapter III Measures to Protect Personal Information
Section 1 Basic Policy on the Protection of Personal Information (Article 7)
Section 2 Measures Taken by the National Government (Articles 8 to 11)
Section 3 Measures Taken by the Local Government (Articles 12 to 14)
Section 4 Cooperation between the National and the Local Governments (Article 15)
Chapter IV Obligations of Businesses Handling Personal Information
Section 1 General Provisions (Article 16)
Section 2 Obligations of Businesses Handling Personal Information and Businesses Handling Information Related to Personal Information (Articles 17 to 40)
Section 3 Obligations of Businesses Handling Pseudonymized Personal Information (Articles 41 and 42)
Section 4 Obligations of Businesses Handling Anonymized Personal Information (Articles 43 to 46)
Section 5 Promoting the Protection of Personal Information in the Private Sector (Articles 47 to 56)
Section 6 Miscellaneous Provisions (Articles 57 to 59)
Chapter V Obligations of Administrative Entities
Section 1 General Provisions (Article 60)
Section 2 Handling of Personal or Other Related Information by Administrative Entities (Articles 61 to 73)
Section 3 Personal Information Files (Articles 74 and 75)
Section 4 Disclosure, Corrections, and Ceasing to Use
Subsection 1 Disclosure (Articles 76 to 89)
Subsection 2 Correction (Articles 90 to 97)
Subsection 3 Ceasing to Use Personal Information an Administrative Entity Holds (Articles 98 to 103)
Subsection 4 Appeals for Review (Articles 104 to 107)
Subsection 5 Relationships with Local Ordinances (Article 108)
Section 5 Provision of Anonymized Personal Information Administrative Entities Hold (Articles 109 to 123)
Section 6 Miscellaneous Provisions (Articles 124 to 129)
Chapter VI The Personal Information Protection Commission
Section 1 Establishment (Articles 130 to 145)
Section 2 Supervision and Monitoring
Subsection 1 Supervision of Businesses Handling Personal or Other Related Information (Articles 146 to 152)
Subsection 2 Supervision of Certified Personal Information Protection Organizations (Articles 153 to 155)
Subsection 3 Monitoring of Administrative Entities (Articles 156 to 160)
Section 3 Service of Documents (Articles 161 to 164)
Section 4 Miscellaneous Provisions (Articles 165 to 170)
Chapter VII Miscellaneous Provisions (Articles 171 to 175)
Chapter VIII Penal Provisions (Articles 176 to 185)
Chapter I General Provisions
(Purpose)
Article 1The purpose of this Act is to protect the rights and interests of individuals while ensuring the smooth and proper management of the processes or services of administrative entities as well as ensuring due consideration of the value of personal information and the fact that the proper and effective application of personal information contributes to the creation of new industries and the realization of a vibrant economic society and an enriched quality life of the Japanese public; by setting forth the basic principles for the proper handling of personal information, creating a governmental basic policy with regard to this, establishing other matters to serve as a basis for measures to protect personal information, and clarifying the responsibilities of the national and local governments and establishing obligations that businesses and administrative entities that handle personal information are required to fulfill in accordance with their circumstances, as well as establishing the Personal Information Protection Commission, in light of the significantly expanding utilization of personal information as digital society evolves.
(Definitions)
Article 2(1)"Personal information" in this Act means information relating to a living individual which falls under any of the following items:
(i)information containing a name, date of birth, or other identifier or the equivalent (meaning all items (excluding individual identification codes) made by writing, recording, sound or motion, or other means, in a document, drawing, or electronic or magnetic record (this includes a record created in electronic or magnetic form (meaning electronic form, magnetic form, or any other form that cannot be perceived with the human senses; the same applies in item (ii) of the following paragraph); hereinafter the same); hereinafter the same) which can be used to identify a specific individual (this includes any information that can be easily collated with other information and thereby used to identify that specific individual);
(ii)those containing an individual identification code.
(2)"Individual identification code" in this Act means one prescribed by Cabinet Order which consists of any character, letter, number, symbol or other codes falling under any of the following items:
(i)characters, letters, numbers, symbols or other codes converted in order to be provided for use by computers, used to identify a specific individual by a distinguishing physical feature of theirs;
(ii)characters, letters, numbers, symbols or other codes used to identify a specific user, purchaser, or recipient, which are assigned differently for each of them regarding the use of services for an individual or the purchase of goods for an individual, or which are stated or recorded in an electronic or magnetic means differently for each of them in a card or other document issued to an individual.
(3)"Sensitive personal information" in this Act means personal information as to an identifiable person's race, creed, social status, medical history, criminal record, the fact of having suffered damage by a crime, or other identifiers or their equivalent prescribed by Cabinet Order as those of requiring special care so as not to cause unjust discrimination, prejudice or other disadvantages to that person.
(4)"Identifiable person" in relation to personal information in this Act means a specific individual identifiable by personal information.
(5)"Pseudonymized personal information" in this Act means information relating to an individual that can be prepared in a way that makes it not possible to identify a specific individual unless collated with other information by taking any of the measures prescribed in each following item in accordance with the divisions of personal information set forth in those items:
(i)personal information falling under paragraph (1), item (i): deleting a part of the identifiers or their equivalent contained in the personal information (including replacing the part of the identifiers or their equivalent with other identifiers or their equivalent without following patterns that enable its restoration);
(ii)personal information falling under paragraph (1), item (ii): deleting all individual identification codes contained in the personal information (including replacing the individual identification codes with other identifiers or their equivalent without following patterns that enable restoration of the individual identification codes).
(6)"Anonymized personal information" in this Act means information relating to an individual that can be prepared in a way that makes it not possible to identify a specific individual by taking any of the measures prescribed in each following item in accordance with the divisions of personal information set forth in those items; and also make it not possible to restore that personal information:
(i)personal information falling under paragraph (1), item (i): deleting a part of the identifiers or their equivalent contained in the personal information (including replacing the part of the identifiers or their equivalent with other identifiers or their equivalent without following patterns that enable its restoration);
(ii)personal information falling under paragraph (1), item (ii): deleting all individual identification codes contained in the personal information (including replacing the individual identification codes with other identifiers or their equivalent without following patterns that enable restoration of the individual identification codes).
(7)"Information related to personal information" in this Act means information relating to a living individual which doesn't fall under personal information, pseudonymized personal information and anonymized personal information.
(8)"Administrative organ" in this Act means the following:
(i)organs within the Cabinet (excluding the Cabinet Office) or under the jurisdiction of the Cabinet which are established pursuant to the provisions of laws;
(ii)the Cabinet Office, the Imperial Household Agency, and organs prescribed in Article 49, paragraphs (1) and (2) of the Act for Establishment of the Cabinet Office (Act No. 89 of 1999) (if, under these organs, an organ designated by Cabinet Order as prescribed in item (iv) is established, that organ designated by Cabinet Order is excluded);
(iii)organs prescribed in Article 3, paragraph (2) of the National Government Organization Act (Act No. 120 of 1948) (if, under these organs, an organ designated by Cabinet Order as prescribed in item (v) is established, that organ designated by Cabinet Order is excluded);
(iv)organs referred to in Articles 39 and 55 of the Act for Establishment of the Cabinet Office and in Article 16, paragraph (2) of the Imperial Household Agency Act (Act No. 70 of 1947), and extraordinary organs referred to in Articles 40 and 56 of the Act for Establishment of the Cabinet Office (including as applied mutatis mutandis pursuant to Article 18, paragraph (1) of the Imperial Household Agency Act), that are designated by Cabinet Order;
(v)facilities and other organs referred to in Article 8-2 of the National Government Organization Act, and extraordinary organs referred to in Article 8-3 of that Act, that are designated by Cabinet Order;
(vi)the Board of Audit.
(9)"Incorporated administrative agency or other prescribed corporation" in this Act means an incorporated administrative agency as prescribed in Article 2, paragraph (1) of the Act on General Rules for Incorporated Administrative Agency (Act No. 103 of 1999) and the corporation listed in the Appended Table 1.
(10)"Local incorporated administrative agency" in this Act means a local incorporated administrative agency as prescribed in Article 2, paragraph (1) of the Local Incorporated Administrative Agency Act (Act No. 118 of 2003).
(11)"Administrative entity" in this Act means the following organs:
(i)administrative organs;
(ii)local government organs (excluding assemblies; the same applies hereinafter except the following Chapter, Chapter III and Article 69, paragraph (2), item (iii));
(iii)incorporated administrative agencies or other prescribed corporations (excluding corporations listed in the Appended Table 2; the same applies in Article 16, paragraph (2), item (iii), Article 63, Article 78, paragraph (1), item (vii), (a) and (b), Article 89, paragraphs (4) through (6), Article 119, paragraphs (5) through (7), and Article 125, paragraph (2));
(iv)local incorporated administrative agencies (excluding those whose main purpose is providing the service listed in Article 21, item (i) of the Local Incorporated Administrative Agency Act, or those whose purpose is providing the service listed in item (ii) or (iii) of that Article (limited to the part relating to (h)); the same applies in Article 16, paragraph (2), item (iv), Article 63, Article 78, paragraph (1), item (vii), (a) and (b), Article 89, paragraphs (7) through (9), Article 119, paragraphs (8) through (10), and Article 125, paragraph (2)).
(Basic Principles)
Article 3The proper handling of personal information must be pursued in view of the fact that it should be handled prudently in line with the philosophy of respecting the autonomy of the individual.
Chapter II Responsibilities of the National and the Local Governments
(Responsibilities of the National Government)
Article 4The national government is responsible for comprehensively developing and implementing the necessary measures to ensure the proper handling of personal information by national government organs, local government organs, incorporated administrative agencies or other prescribed corporations, local incorporated administrative agencies, and businesses in conformity with the purport of this Act.
(Responsibilities of the Local Governments)
Article 5Local governments are responsible for developing and implementing necessary measures to ensure the proper handling of personal information by local government organs, local incorporated administrative agencies, and businesses within their territory based on its characteristics in conformity with the purport of this Act while considering the consistency with the measures taken by the national government.
(Legislative Measures)
Article 6The government is to take necessary legislative and other measures to ensure that there are special measures in place to protect personal information whose strict proper handling it is necessary to ensure in order to further protect the rights and interests of individuals, and also take necessary measures in collaboration with the governments of other countries to establish an internationally harmonized system for personal information through cooperation with international organizations and other international frameworks, in view of the nature of the personal information and the way in which it is used.
Chapter III Measures to Protect Personal Information
Section 1 Basic Policy on the Protection of Personal Information
Article 7(1)The government must establish a basic policy on the protection of personal information (hereinafter referred to as a "basic policy") in order to further comprehensive and integrated measures to protect personal information.
(2)The basic policy is to provide for the following details:
(i)the basic course of action for furthering measures to protect personal information;
(ii)the details of the measures to protect personal information that are to be taken by the national government;
(iii)the basic details of the measures to protect personal information that are to be taken by local governments;
(iv)the basic details of the measures to protect personal information that are to be taken by incorporated administrative agencies or other prescribed corporations;
(v)the basic details of the measures to protect personal information that are to be taken by local incorporated administrative agencies;
(vi)the basic details of the measures to protect personal information to be taken by businesses handling personal information prescribed in Article 16, paragraph (2), businesses handling pseudonymized personal information prescribed in paragraph (5) of that Article, businesses handling anonymized personal information prescribed in paragraph (6) of that Article, and certified personal information protection organizations prescribed in Article 51, paragraph (1);
(vii)information about the smooth processing of complaints about the handling of personal information;
(viii)other material information for furthering measures to protect personal information.
(3)The Prime Minister must call for a cabinet decision on the basic policy developed by the Personal Information Protection Commission.
(4)Following a cabinet decision made under the preceding paragraph, the Prime Minister must disclose the basic policy to the public without delay.
(5)The provisions of the preceding two paragraphs apply mutatis mutandis to amendments to the basic policy.
Section 2 Measures Taken by the National Government
(Protection of Personal Information Held by a National Government Organ)
Article 8(1)The national government is to take necessary measures so as to ensure the proper handling of personal information held by its organs.
(2)The national government is to take necessary measures so as to ensure the proper handling of personal information held by incorporated administrative agencies or other prescribed corporations.
(Support for Local Governments)
Article 9The national government is to take the necessary measures, such as providing information and formulating guidelines to ensure that local governments and businesses properly and effectively implement the measures that they are required to take, in order to support measures to protect personal information which local governments formulate and implement, and in order to support actions that the people or businesses take to ensure the proper handling of personal information.
(Complaint Processing Measures)
Article 10The national government is to take the necessary measures to ensure the appropriate and prompt processing of complaints arising between businesses and identifiable persons regarding the handling of personal information.
(Measures to Ensure the Proper Handling of Personal Information)
Article 11(1)The national government is to take the necessary measures to ensure that businesses handling personal information as prescribed in the following Chapter properly do so, by effecting an appropriate division of roles between the national and local governments.
(2)The national government is to take the necessary measures to ensure the proper handling of personal information by local governments and local incorporated administrative agencies prescribed in Chapter V.
Section 3 Measures Taken by the Local Government
(Protection of Personal Information Held by Local Government Organs)
Article 12(1)Local governments are to take the necessary measures in order to ensure the proper handling of personal information their organs hold.
(2)Local governments are to take the necessary measures in order to ensure the proper handling of personal information held by local incorporated administrative agencies they establish.
(Support for Local Businesses)
Article 13Local governments must endeavor to take the necessary measures to support businesses and residents within their territory so as to ensure the proper handling of personal information.
(Mediation for Complaint Processing)
Article 14Local governments must endeavor to provide mediation for complaint processing and take other necessary measures to ensure that any complaint arising between a business and an identifiable person regarding the handling of personal information is processed appropriately and promptly.
Section 4 Cooperation between the National and the Local Governments
Article 15The national and the local governments are to cooperate with one another in taking measures to protect personal information.
Chapter IV Obligations of Businesses Handling Personal Information
Section 1 General Provisions
(Definitions)
Article 16(1)"Personal information database or the equivalent" in this Chapter and Chapter VIII means a collective body of information comprised of personal information, as set forth in the following (excluding those prescribed by Cabinet Order as having little possibility of harming individual rights and interests in consideration of how the information is used):
(i)those systematically organized so as to be searchable for particular personal information using a computer;
(ii)beyond what is set forth in the preceding item, those prescribed by Cabinet Order as having been systematically organized so as to be easily searchable for particular personal information.
(2)"Business handling personal information" in this Chapter and Chapters VI through VIII means a person that uses a personal information database or the equivalent for business; provided, however, that this excludes persons set forth as follows:
(i)national government organs;
(ii)local governments;
(iii)incorporated administrative agencies or other prescribed corporations;
(iv)local incorporated administrative agencies.
(3)"Personal data" in this Chapter means personal information compiled in a personal information database or the equivalent.
(4)"Personal data the business holds" in this Chapter means personal data which a business handling personal information has the authority to disclose; to correct, add or delete content from; to cease to use; to erase; or to cease to provide to a third party, other than what Cabinet Order provides for as data which is likely to harm the public interest or other interests if its existence or non-existence is made clear.
(5)"Business handling pseudonymized personal information" in this Chapter and Chapters VI and VII means a person that uses a collective body of information consisting of pseudonymized personal information for business, which has been systematically organized to be searchable using a computer or is the equivalent as prescribed by Cabinet Order as systematically organized in order to be easily searchable for particular pseudonymized personal information (referred to as a "pseudonymized personal information database or the equivalent" in Article 41, paragraph (1)); provided, however, that this excludes persons set forth in each item of paragraph (2).
(6)"Business handling anonymized personal information" in this Chapter and Chapters VI and VII means a person that uses collective body of information consisting of anonymized personal information for business, which has been systematically organized to be searchable using a computer or is the equivalent prescribed by Cabinet Order as systematically organized in order to be easily searchable for particular anonymized personal information (referred to as an "anonymized personal information database or the equivalent" in Article 43, paragraph (1)); provided, however, that this excludes persons set forth in each item of paragraph (2).
(7)"Business handling information related to personal information" in this Chapter and Chapters VI and VII means a person that uses collective body of information consisting of information related to personal information for business, which has been systematically organized to be searchable using a computer or is the equivalent as prescribed by Cabinet Order as systematically organized in order to be easily searchable for particular information related to personal information (referred to as an "database or the equivalent of information related to personal information" in Article 31, paragraph (1)); provided, however, that this excludes persons set forth in each item of paragraph (2).
(8)"Academic research institution or the equivalent" in this Chapter means a university or other organization or group associated with academic studies, or a person belonging to it.
Section 2 Obligations of Businesses Handling Personal Information and Businesses handling Information Related to Personal Information
(Specifying the Purpose of Use)
Article 17(1)In handling personal information, the business handling personal information must specify as much as possible the purpose for which it uses that information (hereinafter referred to as the "purpose of use").
(2)When altering the purpose of use, businesses handling personal information must not alter it beyond the extent that can be appreciably linked to what it was before the alteration.
(Restriction Due to Purpose of use)
Article 18(1)A business handling personal information must not handle personal information beyond the scope necessary for achieving the purpose of use specified pursuant to the provisions of the preceding Article without obtaining the identifiable person's consent to do so in advance.
(2)If, due to a merger or other such circumstances, a business handling personal information acquires personal information when succeeding to the business of another business handling personal information, it must not handle that personal information beyond the scope necessary for achieving the pre-succession purpose of use for that personal information without obtaining the identifiable person's consent to do so in advance.
(3)The provisions of the preceding two paragraphs do not apply in the following cases:
(i)cases based on laws and regulations (including local ordinances; hereinafter the same applies in this Chapter);
(ii)cases in which there is a need to protect the life, wellbeing, or property of an individual, and it is difficult to obtain the consent of the identifiable person;
(iii)cases in which there is a special need to improve public wellbeing or promote healthy child development, and it is difficult to obtain the consent of the identifiable person;
(iv)cases in which there is a need to cooperate with a national government organ, local government, or person entrusted thereby with performing the functions prescribed by laws and regulations, and obtaining the consent of the identifiable person is likely to interfere with the performance of those functions;
(v)cases in which the business handling personal information is an academic research institution or the equivalent, and needs to handle the personal information for the purpose of using it in academic research (hereinafter referred to as "academic research purposes" in this Chapter) (including cases in which a part of the purpose of handling the personal information is for academic research purposes, and excluding cases in which there is a risk of unjustly infringing on individual rights and interests);
(vi)cases in which personal data is provided to an academic research institution or the equivalent, and they need to handle the personal data for academic research purposes (including cases in which a part of the purpose of handling the personal data is for academic research purposes, and excluding cases in which there is a risk of unjustly infringing on individual rights and interests).
(Prohibition of Inappropriate Use)
Article 19A business handling personal information must not utilize personal information in a way that there is a possibility of fomenting or inducing unlawful or unjust act.
(Proper Acquisition)
Article 20(1)A business handling personal information must not acquire personal information by deception or other wrongful means.
(2)A business handling personal information must not acquire sensitive personal information without obtaining the identifiable person's consent in advance, except cases set forth in the following:
(i)cases based on laws and regulations;
(ii)cases in which there is a need to protect the life, wellbeing, or property of an individual, and it is difficult to obtain the consent of the identifiable person;
(iii)cases in which there is a special need to improve public wellbeing or promote healthy child development, and it is difficult to obtain the consent of the identifiable person;
(iv)cases in which there is a need to cooperate with a national government organ, local government, or person entrusted thereby with performing the functions prescribed by laws and regulations, and the consent of the identifiable person is likely to interfere with the performance of those functions;
(v)cases in which the business handling personal information is an academic research institution or the equivalent, and needs to handle the sensitive personal information for academic research purposes (including cases in which a part of the purpose of handling the sensitive personal information is for academic research purposes, and excluding cases in which there is a risk of unjustly infringing on individual rights and interests);
(vi)cases of acquiring the sensitive personal information from an academic research institution or the equivalent and it is necessary to acquire that information for academic research purpose (including cases in which a part of the purpose of acquiring the sensitive personal information is for academic research purposes, excluding cases in which there is a risk of unjustly infringing on individual rights and interests) (limited to cases in which the business handling personal information and the academic research institution or the equivalent jointly conduct academic research);
(vii)cases in which the sensitive personal information is open to the public by a person identifiable by that information, a national government organ, a local government, an academic research institution or the equivalent, a person set forth in each item of Article 57, paragraph (1), or other person prescribed by Order of the Personal Information Protection Commission;
(viii)other cases prescribed by Cabinet Order as equivalent to the cases set forth in each preceding item.
(Notification of a Purpose of Use when Acquiring Personal Information)
Article 21(1)Unless the purpose of use has already been disclosed to the public, a business handling personal information must promptly notify the identifiable person of that purpose of use or disclose this to the public once it has acquired personal information.
(2)Notwithstanding the provisions of the preceding paragraph, a business handling personal information must explicitly specify the purpose of use to the identifiable person, before acquiring their personal information which appears in a written agreement or other document (this includes an electronic or magnetic record; hereinafter the same applies in this paragraph) as a result of concluding an agreement with that person; or acquiring their personal information which appears in a document, directly from the person in question; provided, however, that this does not apply if there is an urgent necessity to dispense with this requirement in order to protect the life, wellbeing, or property of an individual.
(3)If a business handling personal information alters the purpose of use, it must notify identifiable persons of the altered purpose of use or disclose this to the public.
(4)The provisions of the preceding three paragraphs do not apply in the following cases:
(i)notifying the identifiable person of the purpose of use or disclosing this to the public is likely to harm the life, wellbeing, property, or other rights or interests of the identifiable person or a third party;
(ii)notifying the identifiable person of the purpose of use or disclosing this to the public is likely to harm the rights or legitimate interests of the business handling personal information;
(iii)it is necessary for the business to cooperate with a national government organ or a local government in performing the functions prescribed by laws and regulations, and notifying the identifiable person of the purpose of use or disclosing this to the public is likely to interfere with the performance of those functions;
(iv)the purpose of use is considered to be clear, in light of the circumstances in which the personal information is acquired.
(Maintaining the Accuracy of Data)
Article 22Businesses handling personal information must endeavor to keep the content of personal data accurate and up to date, within the scope necessary for achieving the purpose of use, and delete the personal data without delay if they no longer require it.
(Measures for Managing the Security of Personal Data)
Article 23Businesses handling personal information must take the necessary and appropriate measures for managing the security of personal data including preventing the leaking, loss or damage of the personal data they handle.
(Supervision of Employees)
Article 24In having an employee handle personal data, businesses handling personal information must exercise the necessary and adequate supervision over that employee to ensure the secure management of the personal data.
(Supervision of an Entrusted Person)
Article 25If a business handling personal information entrusts another person with all or part of the handling of personal data, it must exercise the necessary and adequate supervision over the person it entrusts, so as to ensure the secure management of the personal data with whose handling it entrusts that person.
(Reporting Leaks)
Article 26(1)Pursuant to Order of the Personal Information Protection Commission, businesses handling personal information must report leaks, loss or damage and other situations concerning the security of the personal data they handle, which are prescribed by Order of the Personal Information Protection Commission as those likely to harm individual rights and interests, to the Personal Information Protection Commission; provided, however, that this does not apply to cases in which another business handling personal information or administrative entity has entrusted the business in question with all or part of the handling of the personal data, and it has notified that other business handling personal information or administrative entity of the situation as prescribed by Order of the Personal Information Protection Commission.
(2)In cases prescribed in the preceding paragraph, businesses handling personal information (excluding those that have given a notice under the proviso of that paragraph) must notify the identifiable person of the occurrence of the situation, pursuant to Order of the Personal Information Protection Commission; provided, however, that this does not apply if it is difficult to notify the identifiable person of that occurrence, and the necessary alternative measures are taken to protect that person's rights and interests.
(Restrictions on Provision of Personal Data to Third Parties)
Article 27(1)Businesses handling personal information must not provide personal data to a third party without obtaining the identifiable person's consent in advance, except cases set forth below:
(i)cases based on laws and regulations;
(ii)cases in which there is a need to protect the life, wellbeing, or property of an individual, and it is difficult to obtain the consent of the identifiable person;
(iii)cases in which there is a special need to improve public wellbeing or promote healthy child development, and it is difficult to obtain the consent of the identifiable person;
(iv)cases in which there is a need to cooperate with a national government organ, local government, or person entrusted thereby with performing the functions prescribed by laws and regulations, and obtaining the consent of the identifiable person is likely to interfere with the performance of those functions.
(v)cases in which the business handling personal information is an academic research institution or the equivalent, and providing the personal data for the purpose of publication of academic research results or teaching is unavoidable (excluding cases in which there is a risk of unjustly infringing on individual rights and interests);
(vi)cases in which the business handling personal information is an academic research institution or the equivalent, and needs to provide the personal data for the academic research purpose (including cases in which a part of the purpose of handling the personal data is for academic research purposes, and excluding cases in which there is a risk of unjustly infringing on individual rights and interests) (limited to cases in which the business handling personal information and the third party jointly conduct academic research);
(vii)cases in which the third party is an academic research institution or the equivalent, and the third party needs to handle the personal data for academic research purposes (including cases in which a part of the purpose of handling the personal data is for academic research purposes, and excluding cases in which there is a risk of unjustly infringing on individual rights and interests).
(2)Notwithstanding the provisions of the preceding paragraph, if a business handling personal information agrees to cease to provide a third party with any personal data which can be used to identify the identifiable person, at the request of that person; the business notifies that person of the following information in advance or makes that information readily accessible to that person in advance, as provided for by Order of the Personal Information Protection Commission; and the business files a notification of this to the Commission, the business may provide that personal data to a third party; provided, however, that this does not apply to cases in which personal data which is to be provided to a third party is sensitive personal information, has been acquired in violation of the provisions of Article 21, paragraph (1), or has been provided by another business handing personal information pursuant to the provisions of the main clause of this paragraph (including personal data all or part of which has been reproduced or processed):
(i)the name and address of a business handling personal information that provides personal information to a third party and, if it is a corporation, the name of its representative (or for an organization without legal personality that has made provisions for a representative or manager, the name of the representative or administrator; hereinafter the same applies in this Article, Article 30, paragraph (1), item (i), and Article 32, paragraph (1), item (i));
(ii)the fact that providing the data to the third party constitutes the purpose of use;
(iii)the details of the personal data it will provide to the third party;
(iv)the means or manner in which it will acquire the data it provides to the third party;
(v)the means or manner in which it will provide the data to the third party;
(vi)the fact that it will cease to provide personal data that can be used to identify the identifiable person to a third party at the request of the identifiable person;
(vii)the means of receiving the identifiable person's request;
(viii)other matters prescribed by Order of the Personal Information Protection Commission as those necessary to protect individual rights and interests.
(3)If there has been an alteration to the details set forth in item (i) of the preceding paragraph, or businesses handling personal information have ceased to provide personal data pursuant to the provisions of the preceding paragraph, the businesses must notify the identifiable person of this or make this readily accessible to the person, and notify the Personal Information Protection Commission of this, pursuant to Order of the Personal Information Protection Commission, without delay; and if the businesses seek to alter the details set forth in items (iii) through (v), item (vii), or item (viii) of that paragraph, the businesses must do so beforehand.
(4)If a notification under paragraph (2) has been given, the Personal Information Protection Commission must disclose the details relating to the notification pursuant to Order of the Personal Information Protection Commission. The same applies to cases in which a notification under the preceding paragraph has been given.
(5)In the following cases, a person receiving personal data is not to fall under a third party regarding applying the provisions of each preceding paragraph:
(i)the businesses handling personal information entrusts a person with all or part of the handling of personal data within the scope necessary for achieving the purpose of use;
(ii)the personal data is provided when a person succeeds to the business due to a merger or other such circumstances;
(iii)the personal data is provided to specific persons who have joint use of that data, and the business notifies the person identifiable by that data of this in advance as well as the details of that data, the extent of the joint users, the users' purpose of use, and the name and address of the person responsible for managing the personal data, and, if the user is corporation, the name of its representative; or the business makes the foregoing information readily accessible to the person identifiable by that data in advance.
(6)If there has been an alteration to the name and address of the person responsible for managing the personal data or, in cases of a corporation, to the name of the representative, as provided for in item (iii) of the preceding paragraph, the business handling personal information must notify the person identifiable by that data of this or make this readily accessible to the person identifiable by that data, without delay; and if the business intends to alter a user's purpose of use or the person responsible for the management as provided for in that item, the business must do so beforehand.
(Restrictions on the Provision of Personal Data to Third Parties in Foreign Countries)
Article 28(1)Except cases set forth in the items of paragraph (1) of the preceding Article, before businesses handling personal information provide personal data to a third party (excluding a person that establishes a system that conforms to standards prescribed by Order of the Personal Information Protection Commission as necessary for continuously taking measures equivalent to those that a business handling personal information must take concerning the handling of personal data pursuant to the provisions of this Section (referred to as "equivalent measures" in paragraph (3)); hereinafter the same applies in this paragraph, the following paragraph and Article 31, paragraph (1), item(ii)) in a foreign country (meaning a country or region located outside the territory of Japan; hereinafter the same applies in this Article and Article 31, paragraph (1), item (ii)) (excluding those prescribed by Order of the Personal Information Protection Commission as a foreign country that has established a personal information protection system recognized to have equivalent standards to that in Japan regarding the protection of individual rights and interests; hereinafter the same applies in this Article and Article 31, paragraph (1), item (ii)), the businesses must obtain an identifiable person's consent to the effect that the person approves the provision to a third party in a foreign country. In this case, the provisions of the preceding Article do not apply.
(2)Before intending to obtain the identifiable person's consent pursuant to the provisions of the preceding paragraph, businesses handling personal information must provide that person with information on the personal information protection system of the foreign country, on the measures the third party takes for the protection of personal information, and other information that is to serve as a reference to that person, pursuant to Order of the Personal Information Protection Commission.
(3)When having provided personal data to a third party (limited to a person establishing a system prescribed in paragraph (1)) in a foreign country, businesses handling personal information must take necessary measures to ensure continuous implementation of the equivalent measures by the third party, and provide information on the necessary measures to the identifiable person at the request of that person, pursuant to Order of the Personal Information Protection Commission.
(Preparing of Records on Provision of Personal Data to Third Parties)
Article 29(1)When having provided personal data to a third party (excluding a person set forth in each item of Article 16, paragraph (2); hereinafter the same applies in this Article and the following Article (including as applied mutatis mutandis pursuant to Article 31, paragraph (3) following the deemed replacement of terms)), businesses handling personal information must prepare a record pursuant to Order of the Personal Information Protection Commission on the date of the provision of the personal data, the name of the third party, and other matters prescribed by Order of the Personal Information Protection Commission; provided, however, that this does not apply to cases in which the provision of personal data falls under any of the items of Article 27, paragraph (1) or paragraph (5) (or any of the items of Article 27, paragraph (1), in cases of a provision of personal data under paragraph (1) of the preceding Article).
(2)A business handling personal information must keep a record under the preceding paragraph for a period of time prescribed by Order of the Personal Information Protection Commission from the date when it prepared the record.
(Confirmation on Receiving Personal Data from a Third Party)
Article 30(1)When receiving personal data from a third party, businesses handling personal information must confirm matters set forth in the following pursuant to Order of the Personal Information Protection Commission; provided, however, that this does not apply to cases in which the provision of personal data falls under any of the items of Article 27, paragraph (1) or paragraph (5):
(i)the name and address of the third party and, if the third party is a corporation, the name of its representative;
(ii)background of the acquisition of the personal data by the third party.
(2)If a business handling personal information conducts confirmation under the preceding paragraph, a third party referred to in the preceding paragraph must not deceive the business handling personal information on a matter relating to the confirmation.
(3)When having given confirmation under paragraph (1), a business handling personal information must prepare a record pursuant to Order of the Personal Information Protection Commission on the date when it received the personal data, matters concerning the confirmation, and other matters prescribed by Order of the Personal Information Protection Commission.
(4)Businesses handling personal information must keep a record referred to in the preceding paragraph for a period of time prescribed by Order of the Personal Information Protection Commission from the date when it prepared the record.
(Restrictions on the Provision of Information Related to Personal Information to Third Parties)
Article 31(1)Except cases set forth in each item of Article 27, paragraph (1), if it is assumed that a third party acquires information related to personal information (limited to those compiled in a database or the equivalent of information related to personal information; hereinafter the same applies in this Chapter and Chapter VI) as personal data, businesses handling information related to personal information must not provide the information related to personal information to the third party without confirming the matters set forth as follows pursuant to Order of the Personal Information Protection Commission:
(i)the identifiable person's consent to the effect that the person approves of the third party acquiring information related to personal information as personal data that can identify the person from the business handling information related to personal information, has been obtained;
(ii)for provision to a third party in a foreign country, before the businesses obtain the identifiable person's consent referred to in the preceding item, information on the personal information protection system of the foreign country, information on the measures the third party takes for the protection of personal information, and other information that serves as a reference to the person, has been provided in advance to the person pursuant to Order of the Personal Information Protection Commission.
(2)The provisions of Article 28, paragraph (3) apply mutatis mutandis to cases in which a business handling information related to personal information provides information related to personal information pursuant to the provisions of the preceding paragraph. In this case, the phrase ", and provide information on the necessary measures to the identifiable person at the request of that person," in Article 28, paragraph (3) is deemed to be replaced with ",".
(3)The provisions of paragraphs (2) through (4) of the preceding Article apply mutatis mutandis to cases in which a business handling information related to personal information conducts confirmation pursuant to the provisions of paragraph (1). In this case, the phrase "received" in paragraph (3) of the preceding Article is deemed to be replaced with "provided."
(Disclosure of Information about the Personal Data a Business Holds)
Article 32(1)Businesses handling personal information must make the following information about the personal data they hold accessible to identifiable persons (making that information accessible includes providing answers without delay as requested by identifiable persons):
(i)the name and address of the business handling personal information, and if it is a corporation, the name of its representative;
(ii)the purpose of use of all personal data the business holds (excluding cases falling under Article 21, paragraph (4), items (i) through (iii));
(iii)the procedures for responding to a request under the following paragraph, or to a request under paragraph (1) of the following Article (including as applied mutatis mutandis pursuant to paragraph (5) of that Article); Article 34, paragraph (1); or Article 35, paragraph (1), paragraph (3), or paragraph (5) (including the amount of the fee, if one is set pursuant to the provisions of Article 38, paragraph (2));
(iv)beyond what is set forth in the preceding three items, those prescribed by Cabinet Order as matters necessary to ensure the proper handling of personal data the business holds.
(2)If an identifiable person requests that a business handling personal information notify that person of the purpose of use of the personal data the business holds that can be used to identify that person, the business must notify the person of this without delay; provided, however, that this does not apply in a case falling under one of the following items:
(i)the purpose of use of the personal data the business holds that can be used to identify the identifiable person has been made clear pursuant to the provisions of the preceding paragraph;
(ii)cases falling under Article 21, paragraph (4), items (i) through (iii).
(3)If a business handling personal information decides not to notify the identifiable person of the purpose of use of the personal data the business holds as requested pursuant to the preceding paragraph, the business must notify the identifiable person of this without delay.
(Disclosure)
Article 33(1)An identifiable person may request that a business handling personal information disclose personal data the business holds that can identify that person through electronic or magnetic records or other means as prescribed by Order of the Personal Information Protection Commission.
(2)When having received a request under the preceding paragraph, a business handling personal information must disclose personal data the business holds to an identifiable person without delay by means that person requests pursuant to the provisions of that paragraph (or by paper-based document, in cases in which disclosing the data by that means would require a costly expenditure or prove otherwise difficult); provided, however, that in cases in which disclosing that data falls under any of each following, all or a part of it may not be disclosed:
(i)if disclosure is likely to harm the life, wellbeing, property, or other rights or interests of the identifiable person or a third party;
(ii)if disclosure is likely to seriously interfere with the proper implementation of the business of the business handling personal information;
(iii)if disclosure would violate any other law or regulation.
(3)If a business handling personal information decides not to disclose all or part of the personal data the business holds as requested pursuant to the provisions of paragraph (1), if that data does not exist, or if it is difficult to disclose that data by the means the identifiable person requests pursuant to the provisions of that paragraph, the business must notify that person of this without delay.
(4)If, pursuant to the provisions of any other law or regulation, all or part of the personal data an business holds that can be used to identify an identifiable person is to be disclosed to the identifiable person by a means equivalent to what is prescribed in the main clause of paragraph (2), the provisions of paragraphs (1) and (2) do not apply to either the whole or the relevant part of the personal data the business holds.
(5)The provisions of paragraphs (1) through (3) apply mutatis mutandis to records referred to in Article 29, paragraph (1) and Article 30, paragraph (3) that is related to personal data that can be used to identify the identifiable person (excluding those prescribed by Cabinet Order as likely to harm the public or other interests if its existence or non-existence is made clear; referred to as a "record of provision to a third party" in Article 37, paragraph (2)).
(Corrections)
Article 34(1)If the content of personal data a business holds that can be used to identify the identifiable person is not factual, the person may request that the business handling personal information make a correction, addition, or deletion (hereinafter referred to as a "correction" in this Article) on the content of the personal data the business holds.
(2)Except in cases in which special procedures concerning correction of the content is prescribed by the provisions of other laws or regulations, when a business handling personal information has been requested to make a correction pursuant to the provisions of the preceding paragraph, the business must conduct necessary investigation without delay to the extent necessary to achieve the purpose of use, and based on its result, make corrections to the contents of the personal data the business holds.
(3)If a business handling personal information has made a correction to all or part of the contents of the personal data the business holds in connection with a request under paragraph (1), or has made a decision not to make a correction, the business must notify the identifiable person to that effect without delay (including the content of a correction, if the business has made it).
(Ceasing to Use or Deleting Personal Data)
Article 35(1)Identifiable persons may request that a business handling personal information cease to use or delete the personal data the business holds that can be used to identify that person (hereinafter referred to as a "ceasing to use or deleting personal data" in this Article), if the personal data the business holds is being handled in violation of the provisions of Article 18 or 19, or has been obtained in violation of the provisions of Article 20.
(2)If a business handling personal information has received a request under the preceding paragraph, and there are found to be grounds for that request, the business must cease to use or delete the personal data the business holds to the extent necessary to redress the violation without delay; provided, however, that this does not apply if ceasing to use or deleting the personal data the business holds would require a costly expenditure or prove otherwise difficult, and the businesses take the necessary alternative measures to protect the rights and interests of the identifiable person.
(3)Identifiable persons may request that a business handling personal information cease to provide a third party with the personal data the business holds that can be used to identify the person, if the personal data the business holds is being provided to a third party in violation of the provisions of Article 27, paragraph (1) or Article 28.
(4)If a business handling personal information has received a request under the preceding paragraph, and there are found to be grounds for that request, the business must cease to provide a third party with the personal data the business holds without delay; provided, however, that this does not apply if ceasing to provide a third party with the personal data the business holds would require a costly expenditure or prove otherwise difficult, and the businesses take the necessary alternative measures to protect an identifiable person's rights and interests.
(5)An identifiable person may request that a business handling personal information cease to use or delete the personal data the business holds that can be used to identify the person, or cease to provide a third party with the personal data the business holds, if it has ceased to be necessary for the business to use that personal data, if the situation concerning that personal data as prescribed in the main text of Article 26, paragraph (1) has occurred, or if handling that personal data is likely to harm the identifiable person's rights and interests.
(6)If a business handling personal information has received a request under the preceding paragraph, and there are found to be grounds for that request, the business must cease to use or delete the personal data the business holds, or cease to provide a third party with the data the business holds to the extent necessary to prevent an infringement of the identifiable person's rights and interests without delay; provided, however, that this does not apply if ceasing to use or deleting the personal data the business holds or ceasing to provide a third-party with that personal data would require a costly expenditure or prove otherwise difficult, and the businesses take the necessary alternative measures to protect the identifiable person's rights and interests.
(7)If a business handling personal information have ceased to use or deleted, or decided not to cease to use or delete all or part of personal data the business holds in connection with a request under paragraph (1) or (5), or the business has ceased to provide a third party or decided not to cease to provide a third party with all or part of personal data the business holds in connection with a request under paragraph (3) or (5), the business must notify the identifiable person to that effect without delay.
(Explanation of Reasons)
Article 36If, pursuant to the provisions of Article 32, paragraph (3), Article 33, paragraph (3) (including as applied mutatis mutandis pursuant to paragraph (5) of that Article); Article 34, paragraph (3) or paragraph (7) of the preceding Article, a business handling personal information notifies an identifiable person that it will not take all or part of the measures which the person has requested the business take, or that it will take different measures, the business must endeavor to explain its reasons for this to the person.
(Procedures for Dealing with Requests for Disclosure and Other Handling)
Article 37(1)As regards a request under Article 32, paragraph (2), or a request under Article 33, paragraph (1) (including as applied mutatis mutandis pursuant to paragraph (5) of that Article; the same applies in paragraph (1) of the following Article and Article 39), Article 34, paragraph (1), Article 35, paragraph (1), (3), or (5) (hereinafter referred to as a "request for disclosure or other handling" in this Article and Article 54, paragraph (1)), a business handling personal information may decide on a method of receiving a request as prescribed by Cabinet Order. In such a case, an identifiable person must request disclosure or other handling in that way.
(2)A business handling information may request an identifiable person requesting disclosure or other handling to present sufficient information to identify the personal data the business holds or the record of provision to a third party that would be subject to the disclosure or other handling. In such a case, the business handling personal information must provide information to help the person identify the relevant personal data the business holds or the relevant record of provision to a third party, or take other appropriate measures in consideration of the identifiable person's convenience, so as to allow the person to easily and accurately request disclosure or other handling.
(3)A person may request disclosure or other handling through an agent, as prescribed by Cabinet Order.
(4)In establishing procedures for dealing with requests for disclosure and other handling pursuant to the preceding three paragraphs, a business handling personal information must take care to ensure that the procedures do not impose an excessive burden on identifiable persons.
(Fees)
Article 38(1)If a business handling personal information receives a request for a notification of the purpose of use under Article 32, paragraph (2) or a request for disclosure under Article 33, paragraph (1), it may collect a fee for taking the relevant measures.
(2)If a business handling personal information collects a fee pursuant to the provisions of the preceding paragraph, it must fix the amount of that fee within a scope that can be considered reasonable in consideration of actual costs.
(Requests in Advance)
Article 39(1)When seeking to file a lawsuit in connection with a request under Article 33, paragraph (1), Article 34, paragraph (1), or Article 35, paragraph (1), (3), or (5), the identifiable person may not file the lawsuit unless the identifiable person had previously issued a request against a person who should become a defendant in the lawsuit and two weeks have elapsed since the arrival day of the issued request; provided, however, that this does not apply if the person who should become a defendant in the lawsuit has rejected the request.
(2)A request under the preceding paragraph is deemed as having been arrived at the time when it should have normally been arrived.
(3)The provisions of the preceding two paragraphs apply mutatis mutandis to a petition for a provisional disposition order in connection with a request under Article 33, paragraph (1), Article 34, paragraph (1), or Article 35, paragraph (1), (3), or (5).
(Complaint Processing by Businesses Handling Personal Information)
Article 40(1)A business handling personal information must endeavor to process complaints about the handling of personal information appropriately and promptly.
(2)A business handling personal information must endeavor to establish the necessary systems for achieving the purpose referred to in the preceding paragraph.
Section 3 Obligations of Businesses Handling Pseudonymized Personal Information
(Preparation of Pseudonymized Personal Information)
Article 41(1)When preparing pseudonymized personal information (limited to those compiled in a pseudonymized personal information database or the equivalent; hereinafter the same applies in this Chapter and Chapter VI), businesses handling personal information must process personal information in accordance with standards prescribed by Order of the Personal Information Protection Commission as those necessary to make it impossible to identify a specific individual unless collated with other information.
(2)When having prepared pseudonymized personal information or having acquired pseudonymized personal information and deleted or other related information (meaning information related to identifiers or their equivalent and individual identification codes that were deleted from personal information used to prepare the pseudonymized personal information, and the means of processing carried out pursuant to the provisions of the preceding paragraph; hereinafter the same applies in this Article and paragraph (7) as applied mutatis mutandis pursuant to paragraph (3) of the following Article following the deemed replacement of terms) related to the pseudonymized information, businesses handling personal information must take measures for the management of the security of deleted or other related information in accordance with standards prescribed by Order of the Personal Information Protection Commission as those necessary to prevent the leaking of deleted or other related information.
(3)Notwithstanding the provision of Article 18 and except cases based on laws and regulations, a business handling pseudonymized personal information (limited to a business handling personal information; hereinafter the same applies in this Article) must not handle pseudonymized personal information (limited to personal information; hereinafter the same applies in this Article) beyond the necessary scope to achieve the purpose of use specified pursuant to the provisions of Article 17, paragraph (1).
(4)With regard to applying the provisions of Article 21 related to pseudonymized personal information, the phrase "notify the identifiable person of that purpose of use or disclose this to the public" in paragraphs (1) and (3) of that Article is deemed to be replaced with "disclose that purpose of use"; the phrase "notifying the identifiable person of the purpose of use or disclosing this to the public" in the provisions of items (i) through (iii) of paragraph (4) of that Article is deemed to be replaced with "disclosing the purpose of use".
(5)Businesses handling pseudonymized personal information must endeavor to erase personal data that constitutes pseudonymized personal information and deleted or other related information without delay when utilization of the personal data and the deleted or other related information has become unnecessary. In this case, the provisions of Article 22 do not apply.
(6)Notwithstanding the provisions of Article 27, paragraphs (1) and (2), and Article 28, paragraph (1), and except cases based on laws and regulations, businesses handling pseudonymized personal information must not provide a third party with personal data that constitutes pseudonymized personal information. In this case, the term "each preceding paragraph" in Article 27, paragraph (5) is deemed to be replaced with "Article 41, paragraph (6)"; the phrase "notifies the person identifiable by that data of this in advance as well as the details of that data, the extent of the joint users, the users' purpose of use, and the name and address of the person responsible for managing the personal data, and, if the user is corporation, the name of its representative; or the business makes the foregoing information readily accessible to the person identifiable by that data in advance" in item (iii) of that paragraph is deemed to be replaced with "disclose this in advance as well as the details of that data, the extent of the joint users, the users' purpose of use, and the name and address of the person responsible for managing the personal data, and, if the user is corporation, the name of its representative"; the phrase "notify the person identifiable by that data of this or make this readily accessible to the person identifiable by that data, without delay" in Article 27, paragraph (6) is deemed to be replaced with "disclose this without delay"; the phrase "any of the items of Article 27, paragraph (1) or paragraph (5) (or any of the items of Article 27, paragraph (1), in cases of a provision of personal data under paragraph (1) of the preceding Article)" in the proviso of Article 29, paragraph (1), and the term "any of the items of Article 27, paragraph (1) or paragraph (5)" in the proviso of Article 30, paragraph (1) are deemed to be replaced with "cases based on laws and regulations or any of the items of Article 27, paragraph (5)".
(7)Businesses handling pseudonymized personal information, in handling that information, must not collate the pseudonymized personal information with other information in order to identify a person identifiable by personal information that was used to prepare the pseudonymized personal information.
(8)Businesses handling pseudonymized personal information, in handling that information, must not use contact addresses and other information contained in the pseudonymized personal information for telephoning, for sending by mail or by correspondence delivery prescribed in Article 2, paragraph (2) of the Act on Correspondence Delivery by Private Business Operators (Act No. 99 of 2002) conducted by a general correspondence delivery operator prescribed in Article 2, paragraph (6) or a specified correspondence delivery operator prescribed in Article 2, paragraph (9), for delivering a telegram, for transmitting information using a facsimile machine or electronic or magnetic means (meaning means that use electronic data processing system or means that utilize other information communication technology as prescribed by Order of the Personal Information Protection Commission), or for visiting a residence.
(9)The provisions of Article 17, paragraph (2), Article 26 and Articles 32 through 39 do not apply regarding pseudonymized personal information, personal data that constitutes pseudonymized personal information, and personal data the business holds that constitutes pseudonymized personal information.
(Restrictions on Provision of Pseudonymized Personal Information to Third Parties)
Article 42(1)Except in cases based on laws and regulations, businesses handling pseudonymized personal information must not provide pseudonymized personal information (excluding those that constitute personal information; the same applies in the following paragraph and paragraph (3)) to a third party.
(2)The provisions of Article 27, paragraphs (5) and (6) apply mutatis mutandis to a person receiving pseudonymized personal information. In this case, the term "each preceding paragraph" in Article 27, paragraph (5) is deemed to be replaced with "Article 42, paragraph (1)"; the term "business handling personal information" in item (i) of the paragraph is deemed to be replaced with "business handling pseudonymized personal information"; the phrase "notifies the person identifiable by that data of this in advance as well as the details of that data, the extent of the joint users, the users' purpose of use, and the name and address of the person responsible for managing the personal data, and, if the user is corporation, the name of its representative; or the business makes the foregoing information readily accessible to the person identifiable by that data in advance" in item (iii) of the paragraph is deemed to be replaced with "disclose this in advance as well as the details of that data, the extent of the joint users, the users' purpose of use, and the name and address of the person responsible for managing the personal data, and, if the user is corporation, the name of its representative"; the term "business handling personal information" in Article 27, paragraph (6) is deemed to be replaced with "businesses handling pseudonymized personal information", and the phrase " notify the person identifiable by that data of this or make this readily accessible to the person identifiable by that data, without delay" is deemed to be replaced with "disclose this without delay" in Article 27, paragraph (6).
(3)The provisions of Articles 23 through 25, Article 40, and paragraphs (7) and (8) of the preceding Article apply mutatis mutandis to the handling of pseudonymized personal information by a business handling pseudonymized personal information. In this case, the phrase "leaking, loss or damage" in Article 23 is deemed to be replaced with "leaking"; and the term "not" in Article 41, paragraph (7) is replaced with "neither acquire deleted or other related information, nor".
Section 4 Obligations of Businesses Handling Anonymized Personal Information
(Preparation of Anonymized Personal Information)
Article 43(1)When preparing anonymized personal information (limited to those compiled in an anonymized personal information database or the equivalent; hereinafter the same applies in this Chapter and Chapter VI), businesses handling personal information must process personal information in accordance with standards prescribed by Order of the Personal Information Protection Commission as those necessary to make it impossible to identify a specific individual and restore the information to its original state.
(2)When having prepared anonymized personal information, businesses handling personal information must take measures for the management of the security of information relating to identifiers or their equivalent and individual identification codes that were deleted from personal information used to prepare the anonymized personal information, and information on the means of processing carried out pursuant to the provisions of the preceding paragraph, in accordance with standards prescribed by Order of the Personal Information Protection Commission as those necessary to prevent the leaking of that information.
(3)When having prepared anonymized personal information, businesses handling personal information must disclose the categories of information on an individual that is contained in the anonymized personal information, pursuant to Order of the Personal Information Protection Commission.
(4)Businesses handling personal information, before providing anonymized personal information it prepared to a third party, must disclose the categories of information on an individual that is contained in the anonymized personal information the business will provide to the third party, and the means of providing this, and state to the third party explicitly that the information the business will provide is anonymized personal information, pursuant to Order of the Personal Information Protection Commission.
(5)Businesses handling personal information, when handling anonymized personal information it prepared by itself, must not collate the anonymized personal information with other information in order to identify a person identifiable by personal information that was used to prepare that anonymized personal information.
(6)When having prepared anonymized personal information, businesses handling personal information must endeavor to take the necessary and appropriate measures for managing the security of the anonymized personal information, and the necessary measures for processing complaints about the preparation or other handling of the anonymized personal information, or for otherwise ensuring the proper handling of the anonymized personal information; and endeavor to disclose the content of those measures.
(Providing Anonymized Personal Information)
Article 44Businesses handling anonymized personal information, before providing anonymized personal information (excluding those into which they have processed personal information themselves; hereinafter the same applies in this Section) to a third party, must disclose the categories of information on an individual that is contained in the anonymized personal information it will provide to the third party, and the means of providing this, and state to the third party explicitly that the information it will provide is anonymized personal information, pursuant to Order of the Personal Information Protection Commission.
(Prohibition against Identifying Persons)
Article 45Businesses handling anonymized personal information, when handling anonymized personal information, must neither acquire information relating to identifiers or their equivalent or individual identification codes deleted from the personal information and information relating to methods of processing carried out pursuant to the provisions of Article 43, paragraph (1) or Article 116, paragraph (1) (including cases in which it is applied mutatis mutandis pursuant to Article 116, paragraph (2)), nor collate the anonymized personal information with other information in order to identify a person identifiable by personal information that was used to prepare that anonymized personal information.
(Measures for Managing the Security of Anonymized Personal Information)
Article 46Businesses handling anonymized personal information must endeavor to take the necessary and appropriate measures for managing the security of anonymized personal information and the necessary measures to ensure the proper handling of anonymized personal information such as processing complaints about the handling of anonymized personal information, and must endeavor to disclose the content of those measures.
Section 5 Promoting the Protection of Personal Information in the Private Sector
(Certification)
Article 47(1)A corporation (or an organization without legal personality that has made provisions for a representative or manager; the same applies in item (iii), (b) of the following Article) seeking to perform services as set forth in one of the following items with the aim of ensuring that a business handling personal information, pseudonymized personal information, or anonymized personal information (hereinafter referred to as "personal or other related information" in this Chapter) (the business in question is hereinafter referred to as a "business handling personal or other related information" in this Chapter) handles the personal information properly may receive certification from the Personal Information Protection Commission:
(i)complaint processing under Article 53 regarding the handling of personal or other related information by businesses handling personal or other related information which are covered by the corporation's services (hereinafter each such business is referred to as a "covered business");
(ii)providing covered businesses with information about things that contribute to ensuring the proper handling of personal or other related information;
(iii)services beyond what is set forth in the preceding two items which are necessary for ensuring the proper handling of personal or other related information by covered businesses.
(2)The certification set forth in the preceding paragraph may be limited in respect of the type or scope of services of businesses handling personal or other related information that are covered.
(3)A person seeking the certification referred to in the preceding paragraph must apply to the Personal Information Protection Commission as prescribed by Cabinet Order.
(4)After granting a certification under paragraph (1), the Personal Information Protection Commission must make a public notice to that effect (including the scope of services concerning the certification, in cases of the certification limiting the scope of services pursuant to the provisions of paragraph (2)).
(Conditions for Ineligibility)
Article 48A person falling under one of the following items may not be certified as referred to in paragraph (1) of the preceding Article:
(i)a person that has been sentenced pursuant to any provision of this Act, if two years have not yet passed since the person finished serving the sentence or ceased to be subject to its enforcement;
(ii)a person whose certification has been revoked pursuant to the provisions of Article 155, paragraph (1), if two years have not yet passed since the revocation;
(iii)a person with an executive officer (or with a representative or manager, in an organization without legal personality that has made provisions for a representative or manager; hereinafter the same applies in this Article) that falls under one of the following categories:
(a)a person that has been sentenced to imprisonment or a heavier punishment or that has been sentenced pursuant to any provision of this Act, if two years have not yet passed since the person finished serving the sentence or ceased to be subject to its enforcement;
(b)a person that, during the 30 days before the revocation, was the officer of a corporation whose certification has been revoked pursuant to the provisions of Article 155, paragraph (1), if two years have not yet passed since the revocation.
(Certification Standards)
Article 49The Personal Information Protection Commission must not grant a certification unless it finds the application for certification referred to in Article 47, paragraph (1) to conform to all of the following requirements:
(i)the applicant has established the necessary methods of business implementation to allow it to perform the services set forth in the items of Article 47, paragraph (1) properly and reliably;
(ii)the applicant's knowledge, capabilities, and financial base are sufficient to allow it to perform the services set forth in the items of Article 47, paragraph (1) properly and reliably;
(iii)if the applicant engages in business other than the services set forth in the items of Article 47, paragraph (1), its engagement in that business is unlikely to give rise to unfairness in the services set forth in the items of that paragraph.
(Certification of Alterations)
Article 50(1)If a person that has received certification under Article 47, paragraph (1) (including that limiting the scope of services pursuant to the provisions of paragraph (2) of that Article; the same applies in paragraph (1) of the following Article and Article 155, paragraph (1), item (v)) seeks to alter the scope of services concerning the certification, the person must receive certification from the Personal Information Protection Commission; provided, however, that this does not apply to a minor alteration as prescribed by Order of the Personal Information Protection Commission.
(2)The provisions of Article 47, paragraphs (3) and (4) and the preceding Article apply mutatis mutandis to the certification of alteration referred to in the preceding paragraph.
(Notification of Discontinuation)
Article 51(1)Before intending to discontinue the services subject to certification (hereinafter referred to as "certified services" in this Section and Chapter VI), a person that has received certification under Article 47, paragraph (1) (including the certification of alteration under paragraph (1) of the preceding Article) (the person in question is hereinafter referred to as a "certified personal information protection organization" in this Section and Chapter VI) must notify the Personal Information Protection Commission to that effect as prescribed by Cabinet Order.
(2)Upon receiving notification under the preceding paragraph, the Personal Information Protection Commission must issue public notice indicating this.
(Covered Businesses)
Article 52(1)A certified personal information protection organization's covered businesses must be comprised of businesses handling personal or other related information that have agreed to be covered by its certified services. In this case, if a covered business does not comply with the personal information protection guidelines prescribed in Article 54, paragraph (1) even though measures pursuant to Article 54, paragraph (4) were taken, the covered business may be excluded from being covered by the certified services.
(2)A certified personal information protection organization must disclose the names of its covered businesses.
(Complaint Processing)
Article 53(1)If an identifiable person or other party files for a certified personal information protection organization to resolve a complaint about the handling of personal or other related information by a covered business, in addition to complying with any request for a consultation about this, providing the identifiable person or other party with the necessary advice, and investigating the circumstances to which the complaint pertains, the organization must notify the covered business of the substance and content of the complaint and request that it resolve the complaint expeditiously.
(2)If a certified personal information protection organization finds that it is necessary in connection with the resolution of a complaint under a filing referred to in the preceding paragraph, the organization may request that the covered business provide a written or oral explanation or submit materials.
(3)If a covered business has received a request under the preceding paragraph from a certified personal information protection organization, it must not refuse this request without a legitimate reason for doing so.
(Personal Information Protection Guidelines)
Article 54(1)In order to ensure the proper handling of personal or other related information by its covered businesses, a certified personal information protection organization must endeavor to create guidelines which follow the spirit of this Act (hereinafter referred to as "personal information protection guidelines" in this Section and Chapter VI), for how to specify the purpose of use of personal information, for measures to ensure its secure management, for procedures to deal with requests for disclosure or other handling, for other such matters, as well as how to produce pseudonymized processed information or anonymized personal information, and its security measures and other such matters, by listening to the opinions of representatives of customers or other relevant persons.
(2)When having developed personal information protection guidelines pursuant to the provisions of the preceding paragraph, certified personal information protection organizations must notify the Personal information Protection Commission of the personal information protection guidelines without delay pursuant to Order of the Personal Information Protection Commission. The same applies if the guidelines are modified.
(3)When having been notified of personal information protection guidelines under the preceding paragraph, the Personal Information Protection Commission must disclose the personal information protection guidelines pursuant to Order of the Personal Information Protection Commission.
(4)When personal information protection guidelines have been disclosed pursuant to the provisions of the preceding paragraph, certified personal information protection organizations must take measures against a covered business such as providing guidance or recommendations necessary to make the covered business comply with the personal information protection guidelines.
(Prohibition against Unauthorized Use)
Article 55A certified personal information protection organization must not use information acquired in the course of certified services for purposes other than the certified services use for which the information is provided.
(Restriction on Name Use)
Article 56A person that is not a certified personal information protection organization must not use a name that refers to that person as a certified personal information protection organization, and must not use any other name that is confusingly similar to this.
Section 6 Miscellaneous Provisions
(Exclusion from Application)
Article 57(1)The provisions of the preceding Chapter do not apply to a business handling personal or other related information or business handling information related to personal information as set forth in one of the following items if all or part of the purpose for which it handles the information in question is the purpose prescribed in that item:
(i)broadcasting organizations, newspapers, news services, and other journalistic organizations (this includes individuals who work in news reporting): use in news reporting;
(ii)a person in the business of creating literary works: use in the creation of literary works;
(iii)a religious organization: use in a religious activity (this includes activities incidental to it);
(iv)a political organization: use in a political activity (this includes activities incidental to it).
(2)The "news reporting" prescribed in item (i) of the preceding paragraph means informing the general public of objective facts by presenting them as the truth (this includes stating an opinion or position based on those facts).
(3)A business handling personal or other related information as set forth in one of the items of paragraph (1) must, itself, endeavor to take the necessary and appropriate measures for managing the security of personal data, pseudonymized personal information or anonymized personal information, and the necessary measures for processing complaints about the handling of personal or other related information and for otherwise ensuring the proper handling of personal or other related information and must also endeavor to disclose the content of those measures.
(Exception to Application)
Article 58(1)The provisions of Articles 32 through 39 and Section 4 do not apply to a business handling personal information or a business handling anonymized personal information set forth as follows:
(i)a corporation listed in Appended Table 2;
(ii)a local incorporated administrative agency whose main purpose is providing the service listed in Article 21, item (i) of the Local Incorporated Administrative Agency Act, or whose purpose is providing the service listed in item (ii) or item (iii) of that Article (limited to the part relating to (h)).
(2)The handling of personal information, pseudonymized personal information, or information related to personal information conducted by a person set forth in each following items in the business prescribed in each item is deemed to be the handling of personal information by a business handling personal information, the handling of pseudonymized personal information by a business handling pseudonymized personal information, or the handling of information related to personal information by a business handling information related to personal information; and the provisions in this Chapter (excluding Articles 32 through 39 and Section 4) and Chapters VI through VIII apply to it:
(i)a local government organ: operation of a hospital prescribed in Article 1-5, paragraph (1) of the Medical Care Act (Act No. 205 of 1948) (referred to as a "hospital" in the following item), a clinic prescribed in paragraph (2) of that Article, and an university prescribed in Article 1 of the School Education Act (Act No. 26 of 1947);
(ii)Japan Organization of Occupational Health and Safety: operation of a hospital.
(Responsibilities of Academic Research Institutions or the Equivalent)
Article 59Academic research organizations or the equivalent which are businesses handling personal information must endeavor to comply with the provisions of this Act as well as personally take necessary measures for ensuring the appropriate handling of personal information for academic research purposes, and endeavor to the public the content of those measures.
Chapter V Obligations of Administrative Entities
Section 1 General Provisions
(Definitions)
Article 60(1)"Personal information the administrative entity holds" in this Chapter and Chapter VIII means personal information that an employee of an administrative entity (in a case of an incorporated administrative agency or other prescribed corporation or a local incorporated administrative agency, its officer is included; hereinafter the same applies in this Chapter and Chapter VIII) prepares or acquires in the course of that employee's duties, and that administrative entity holds for organizational use by its employees; provided, however, that the personal information the administrative entity holds is limited to personal information recorded in administrative or similar documents (meaning administrative documents prescribed in Article 2, paragraph (2) of the Act on Access to Information Held by Administrative Organs (Act No. 42 of 1999); hereinafter referred to as the "Administrative Organs Information Disclosure Act") in this Chapter), corporate documents (meaning corporate documents prescribed in Article 2, paragraph (2) of the Act on Access to Information Held by Incorporated Administrative Agencies (Act No. 140 of 2001); hereinafter referred to as "Incorporated Administrative Agencies Information Disclosure Act" in this Chapter; those documents include those listed in item (iv) of that paragraph), or local government documents (meaning documents, drawings, or electronic or magnetic records that an employee of a local government organ or local incorporated administrative agency prepares or acquires in the course of that employee's duties, and that local government organ or local incorporated administrative agency holds for organizational use by its employees; and excluding those prescribed by Cabinet Order as equivalent to those set forth in the items of Article 2, paragraph (2) of the Administrative Organs Information Disclosure Act) (the above-mentioned documents are hereinafter collectively referred to as "administrative or similar documents" in this Chapter).
(2)"Personal information file" in this Chapter and Chapter VIII means a collective body of information comprised of personal information the administrative entity holds, as set forth below:
(i)those systematically organized so as to be searchable for particular personal information the administrative entity holds, by using a computer for the purpose of certain processes;
(ii)beyond what is set forth in the preceding item, those systematically organized so as to be searchable for particular personal information the administrative entity holds, by using a name, date of birth or other identifiers or their equivalent for the purpose of certain processes.
(3)"Anonymized personal information the administrative entity holds" in this Chapter means any anonymized personal information that can be prepared in a way that processes all or a part of personal information the administrative entity holds that constitutes a personal information file that falls under all of the following items (if a part of that personal information the administrative entity holds contains non-disclosure information prescribed in Article 5 of the Administrative Organs Information Disclosure Act (excluding information listed in item (i) of that Article, and including information prescribed in the proviso of item (ii) of that Article; hereinafter the same applies in this paragraph), non-disclosure information prescribed in Article 5 of the Incorporated Administrative Agencies Information Disclosure Act (excluding information listed in item (i) of that Article, and including information prescribed in the proviso of item (ii) of that Article), or non-disclosure information prescribed in the information disclosure ordinance of local government (meaning a local government's ordinance which provides for the resident's or other equivalent person's right to request the disclosure of information the local government organ or local incorporated administrative agency holds; hereinafter the same applies in this Chapter) (that non-disclosure information means information equivalent to non-disclosure information prescribed in Article 5 of the Administrative Organs Information Disclosure Act), the part containing the above-mentioned non-disclosure information is excluded):
(i)the information does not fall under any of items in Article 75, paragraph (2), or the information that is not designated under paragraph (3) of that Article as an exception to registration in the personal information file register as prescribed in paragraph (1) of that Article;
(ii)the information for which the head of an administrative organ as prescribed in Article 3 of the Administrative Organs Information Disclosure Act, an incorporated administrative agency or other prescribed corporation as prescribed in Article 2, paragraph (1) of the Incorporated Administrative Agencies Information Disclosure Act, a local government organ or, a local incorporated administrative agency is required to take either of the following measures, if that person receives a request to disclose any administrative or similar document in which the personal information the administrative entity holds that constitutes a personal information file is recorded (meaning a request for disclosure as prescribed in Article 3 of the Administrative Organs Information Disclosure Act, Article 3 of the Administrative Organs Information Disclosure Act, or the information disclosure ordinance);
(a)making a decision to disclose all or a part of the personal information the administrative entity holds that is recorded in that administrative or similar document;
(b)providing an opportunity to submit an opinion under Article 13, paragraph (1) or paragraph (2) of the Administrative Organs Information Disclosure Act, under Article 14, paragraph (1) or paragraph (2) of the Incorporated Administrative Agencies Information Disclosure Act, or under the information disclosure ordinance (limited to those with provisions equivalent to Article 13, paragraph (1) or (2) of the Administrative Organs Information Disclosure Act);
(iii)anonymized personal information can be prepared in a way that processes the personal information the administrative entity holds that constitutes a personal information file in accordance with the criteria set forth in Article 116, paragraph (1), and to extent that it does not hinder proper and smooth management of processes and services by the administrative entity.
(4)The term "anonymized personal information file the administrative entity holds" in this Chapter means a collective body of information comprised of anonymized personal information the administrative entity holds, as set forth below:
(i)those systematically organized so as to be searchable for particular anonymized personal information the administrative entity holds, by using a computer;
(ii)beyond what is set forth in the preceding item, those prescribed by Cabinet Order as having been systematically organized so as to be searchable for particular anonymized personal information the administrative entity holds.
(5)The term "sensitive personal information prescribed by local ordinance" in this Chapter means personal information (excluding sensitive personal information) that is held by a local government organ or local incorporated administrative agency and that is comprised of identifiers or their equivalent prescribed by a local government's ordinance, accounting for the regional characteristics and other circumstances, as those of which the handling requires special care so as not to cause unfair discrimination, prejudice, or other disadvantage to the identifiable person.
Section 2 Handling of Personal or Other Related Information by Administrative Entities
(Restrictions on Holding Personal Information)
Article 61(1)Administrative entities may hold personal information only when necessary for conducting processes and functions under the jurisdiction provided by laws and regulations (including local ordinances; the same applies in Article 66, paragraph (2), items (iii) and (iv), Article 69, paragraph (2), items (ii) and (iii), and Section 4), and must specify the purpose of use of personal information as much as possible when holding this information.
(2)Administrative entities must not hold personal information beyond the extent necessary for the purpose of use specified pursuant to the provisions of the preceding paragraph.
(3)Administrative entities must not alter the purpose of use beyond a reasonable extent from that of the original purpose of use.
(Clear Indication of the Purpose of Use)
Article 62Before an administrative entity directly acquires personal information on an identifiable person that is recorded in a document (including an electronic or magnetic record), the administrative entity must clearly indicate the purpose of use to that person, except in the following cases:
(i)cases in which there is an urgent need to protect the life, wellbeing or property of an individual;
(ii)cases in which indicating the purpose of use to the identifiable person clearly is likely to cause harm to the life, wellbeing, property, or other rights or interests of the identifiable person or a third party;
(iii)cases in which indicating the purpose of use to the identifiable person clearly is likely to hinder the proper execution of the process or service of a national government organ, incorporated administrative agency or other prescribed corporation, local government, or local incorporated administrative agency;
(iv)cases in which the purpose of use is found to be clear in light of the circumstances of the acquisition.
(Prohibition of Inappropriate Utilization)
Article 63The head of an administrative organ (for any organ designated by Cabinet Order referred to in Article 2, paragraph (8), items (iv) and (v), the head is designated for each respective organ by Cabinet Order; hereinafter the same applies in this Chapter and Article 174), a local government organ, an incorporated administrative agency or other prescribed corporation, and a local incorporated administrative agency (hereinafter referred to as an "administrative organ's head or administrative entity" in this Chapter and the following Chapter) must not utilize personal information using a method that has the possibility of fomenting or inducing unlawful or unjust act.
(Proper Acquisition)
Article 64An administrative organ's head or administrative entity must not acquire personal information by deception or other wrongful means.
(Keeping Accuracy)
Article 65An administrative organ's head or administrative entity must endeavor to keep personal information the head or entity holds consistent with the past or the present facts within the scope necessary for fulfilling the purpose of use.
(Measures for Managing the Security of Personal Information an Administrative Entity Holds)
Article 66(1)An administrative organ's head or administrative entity must take necessary and appropriate measures for managing the security of personal information the administrative entity holds, preventing its leaking, loss or damage.
(2)The provisions of the preceding paragraph apply mutatis mutandis to cases in which a person set forth in each following item handles personal information in conducting services as prescribed in each item respectively:
(i)a person entrusted by an administrative entity with the handling of personal information: that entrusted service;
(ii)a designated administrator (meaning a designated administrator prescribed in Article 244-2, paragraph (3) of the Local Autonomy Act (Act No. 67 of 1947)): management service of a public facility (meaning a public facility prescribed in Article 244, paragraph (1) of that Act);
(iii)a person set forth in each item of Article 58, paragraph (1): service which is conducted based on laws and regulations and specified by Cabinet Order;
(iv)a person set forth in each item of Article 58, paragraph (2): business prescribed in each item of that paragraph which is conducted based on laws and regulations and specified by Cabinet Order;
(v)a person entrusted by a person set forth in each preceding item with service prescribed in each item (including entrustment via two or more layers): that entrusted service.
(Employee's Obligations)
Article 67An employee or a former employee of an administrative entity that handles personal information, a person engaged in or formerly engaged in business prescribed in each item of paragraph (2) of the preceding Article, or a staffing agency worker or a former staffing agency worker (meaning a staffing agency worker prescribed in Article 2, item (ii) of the Act on Securing the Proper Operation of Worker Dispatching Businesses and Protecting Dispatched Workers (Act No. 88 of 1985); hereinafter the same applies in this Chapter and Article 176) that handles personal information must not disclose personal information acquired in the course of that employee's work to other persons without reason or use this information for an unjust purpose.
(Reporting Leaks)
Article 68(1)If there is a leak, loss or damage and other situation concerning the security of the personal information an administrative entity holds as prescribed by Order of the Personal Information Protection Commission that is highly likely to harm individual rights and interests, the administrative organ's head or administrative entity must report to that effect to the Personal Information Protection Commission, pursuant to Order of the Personal Information Protection Commission.
(2)In cases prescribed in the preceding paragraph, an administrative organ's head or administrative entity must notify an identifiable person of the occurrence of the situation pursuant to Order of the Personal Information Protection Commission; provided, however, that this does not apply to cases falling under any of each following item:
(i)cases in which it is difficult to give a notification to the identifiable person, and necessary alternative measures are taken to protect the person's rights and interests;
(ii)cases in which the personal information the administrative organ or agency holds includes any of information set forth in each item of Article 78, paragraph (1).
(Restrictions on the Use and Provision)
Article 69(1)An administrative organ's head or administrative entity must not personally use or provide other persons with personal information the administrative entity holds for any purpose other than the purpose of use, except cases based on laws and regulations.
(2)Notwithstanding the provisions of the preceding paragraph, when finding the case to fall under circumstances specified by any of the following items, an administrative organ's head or administrative entity may personally use or provide other persons with personal information the administrative entity holds for any purpose other than the purpose of use; provided, however, this does not apply if it is found that using that personal information personally or providing it to other persons for any purpose other than the purpose of use is likely to cause unjust prejudice to the rights or interests of the identifiable person or a third party:
(i)if the personal information the administrative entity holds is used or provided with the identifiable person's consent, or if it is provided to the identifiable person;
(ii)if the administrative entity uses personal information it holds within the organ only to the extent necessary for managing processes or services under the jurisdiction provided by laws and regulations, and there are reasonable grounds for the use of that personal information;
(iii)if the personal information the administrative entity holds is provided to other administrative organ, incorporated administrative agency or other prescribed corporation, local government organ, or local incorporated administrative agency; the person that receives the information uses it only to the extent necessary for managing the processes or services under its jurisdiction provided by laws and regulations; and there are reasonable grounds for the use of that personal information;
(iv)beyond what is set forth in the preceding three items, if the personal information the administrative entity holds is provided exclusively for statistical purpose or academic research purpose; provision of the information to other persons is obviously beneficial to the identifiable person; or there are other special grounds for providing that personal information.
(3)The provisions of the preceding paragraph do not preclude the application of the provisions of other laws and regulations which restrict the use or provision of personal information an administrative entity holds.
(4)When finding it particularly necessary for protecting the individual rights and interests, an administrative organ's head or administrative entity is to allow only particular departments, agencies, or employees within the organ to use personal information the administrative entity holds for any purpose other than the purpose of use.
(Making Requests of Persons that Receive Personal Information an Administrative Entity Holds)
Article 70When an administrative organ's head or administrative entity finds it necessary in providing personal information the administrative entity holds for the purpose of use or pursuant to the provisions of paragraph (2), item (iii) or (iv) of the preceding Article, they are to impose restrictions on the purpose or method of use of the personal information they provide or any other restrictions considered necessary on a person that receives that personal information, or request the person take necessary measures to prevent the leaking of and for the proper management of that personal information.
(Restrictions on the Provision of Information to Third Parties in Foreign Countries)
Article 71(1)Except in cases based on laws and regulations or set forth in Article 69, paragraph (2), item (iv), before an administrative organ 's head or administrative entity provides personal information the administrative entity holds to a third party (excluding a person that has established a system that conforms to standards prescribed by Order of the Personal Information Protection Commission as necessary for continuously taking measures equivalent to the one that a business handling personal information prescribed in Article 16, paragraph (2) is to take concerning the handling of personal data prescribed in Article 16, paragraph (3) pursuant to the provisions of Section 2 of the preceding Chapter (referred to as "equivalent measures" in paragraph (3)); hereinafter the same applies in this paragraph and the following paragraph) in a foreign country (meaning a country or region located outside the territory of Japan; hereinafter the same applies in this Article) (excluding those prescribed by Order of the Personal Information Protection Commission as a foreign country that has established a personal information protection system recognized to have equivalent standards to that in Japan regarding the protection of individual rights and interests; hereinafter the same applies in this Article) for any purpose other than the purpose of use, the administrative organ's head or administrative entity must acquire the identifiable person's consent to the effect that the person approves the provision to a third party in a foreign country.
(2)When intending to obtain an identifiable person's consent pursuant to the provisions of the preceding paragraph, an administrative organ's head or administrative entity must provide the person in advance with information on the personal information protection system of the foreign country, on the measures the third party takes for the protection of personal information, and other information that serves as a reference to the person, pursuant to Order of the Personal Information Protection Commission.
(3)Except in those cases based on laws and regulations or set forth in Article 69, paragraph (2), item (iv), when an administrative organ's head or administrative entity has provided personal information the administrative entity holds to a third party in a foreign country (limited to a person that has established a system prescribed in paragraph (1)) for any purpose other than the purpose of use, the administrative organ's head or administrative entity must take necessary measures to ensure continuous implementation of the equivalent measures by the third party, and in response to the identifiable person's request, provide the person with information on the necessary measures, pursuant to Order of the Personal Information Protection Commission.
(Making Requests of Persons that Receive Information Related to Personal Information)
Article 72When finding it necessary in providing information related to personal information to a third party (limited to cases in which it is assumed that the third party acquires the information related to personal information as personal information), an administrative organ's head or administrative entity is to impose restrictions on the purpose or method of use of information related to personal information that they provide or any other restrictions considered necessary on the third party, or request the person take necessary measures to prevent the leaking of and for the proper management of the information.
(Obligations on the Handling of Pseudonymized Personal Information)
Article 73(1)Except in cases based on laws and regulations, an administrative organ's head or administrative entity must not provide pseudonymized personal information (excluding those that are personal information; hereinafter the same applies in this Article and Article 128) to a third party (excluding a person entrusted with the handling of the pseudonymized personal information).
(2)An administrative organ's head or administrative entity must take necessary and appropriate measures for managing the security of personal data including preventing the leaking of pseudonymized personal information they handle.
(3)Except cases based on laws and regulations, in handling pseudonymized personal information, an administrative organ's head or administrative entity must neither acquire deleted or other related information (meaning identifiers or their equivalent, individual identification codes, and information on the method of processing as performed under Article 41, paragraph (1) that have been deleted from the personal information used to prepare the pseudonymized personal information), nor collate the pseudonymized personal information with other information, in order to identify the person identifiable by personal information that was used to prepare that pseudonymized personal information.
(4)Except cases based on laws and regulations, in handling pseudonymized personal information, an administrative organ's head or administrative entity must not utilize a contact address and other information contained in the pseudonymized personal information for telephoning, for sending by mail or by correspondence delivery prescribed in Article 2, paragraph (2) of the Act on Correspondence Delivery by Private Business Operators conducted by a general correspondence delivery operator prescribed in Article 2, paragraph (6) of that Act or a specified correspondence delivery operator prescribed in Article 2, paragraph (9) of that Act, for delivering a telegram, for transmitting information using a facsimile machine or electronic or magnetic means (meaning means that use electronic data processing system or means that utilize other information communication technology as prescribed by Order of the Personal Information Protection Commission), or for visiting a residence.
(5)The provisions of each preceding paragraph apply mutatis mutandis to cases in which a person that has been entrusted (including entrustment via two or more layers) with the handling of pseudonymized personal information by an administrative organ's head or administrative entity conducts the entrusted business.
Section 3 Personal Information Files
(Advance Notification on Holding Personal Information Files)
Article 74(1)Before an administrative organ (excluding the Board of Audit; hereinafter the same applies in this Article) intends to hold personal information file, the head of the administrative organ must notify the Personal Information Protection Commission of the following matters. The same applies to cases in which an administrative organ intends to alter any matters for which notification has already been given:
(i)the name of the personal information file;
(ii)the name of the organ and the name of the organizational section in charge of the processes for which the personal information file will be used;
(iii)the purpose of use of the personal information file;
(iv)particulars recorded in the personal information file (hereinafter referred to as the "recorded particulars" in this Section) and the scope of individuals that are recorded in the personal information file as an identifiable person (limited to those who can be identified through a search without another individual's name, date of birth, or other identifiers or their equivalent; the same applies in item (ix) of the following paragraph) (this scope is hereinafter referred to as the "scope of record" in this Section);
(v)the means of acquiring the personal information recorded in the personal information file (hereinafter referred to as the "recorded information" in this Section);
(vi)if the recorded information contains sensitive personal information, an indication to that effect;
(vii)if the recorded information is routinely provided to a party outside the that organ, the name of that party;
(viii)if a part of the recorded particulars or the matters set forth in item (v) or in the preceding item are not to be contained in the personal information file register, or the personal information file is not to be contained in the personal information file register pursuant to the provisions of paragraph (3) of the following Article, an indication to that effect;
(ix)the name and address of the organization that accepts the request prescribed in Article 76, paragraph (1), Article 90, paragraph (1), or Article 98, paragraph (1);
(x)if the proviso of Article 90, paragraph (1) or the proviso of Article 98, paragraph (1) applies, an indication to that effect;
(xi)other matters prescribed by Cabinet Order.
(2)The provisions of the preceding paragraph do not apply to the personal information files set forth in the following:
(i)a personal information file that contains matters concerning the national security, diplomatic secrets, and other important interests of the State;
(ii)a personal information file prepared or acquired for criminal investigation, investigation of tax crimes based on the provisions of laws related to tax, or instituting or keeping a legal proceeding;
(iii)a personal information file for employees or former employees of that organ, which exclusively contains information concerning their personnel, wages, welfare benefits, or any equivalent matters (including a personal information file concerning an employee recruitment examination conducted by that organ);
(iv)a personal information file exclusively used for the purpose of experimental computer processing;
(v)a personal information file which contains all or a part of the recorded information contained in another personal information file subject to the notification prescribed in the preceding paragraph, if its purpose of use, recorded particulars, and scope of record are within the scope of those subject to that notification;
(vi)a personal information file that contains only recorded information that will be erased within one year;
(vii)a personal information file containing recorded information to be used for sending materials or any goods or money or for making necessary business contacts, which only contain the names, addresses and other necessary details concerning the recipients;
(viii)a personal information file that an employee prepares or acquires based on that employee's initiative for academic research purpose, if the recorded information is used exclusively for those academic research purpose;
(ix)a personal information file for which the number of the identifiable persons is less than the number specified by Cabinet Order;
(x)a personal information file specified by Cabinet Order as being equivalent to any of the personal information files set forth in item (iii) through the preceding item;
(xi)a personal information file in relation to Article 60, paragraph (2), item (ii).
(3)If an administrative organ ceases to hold the personal information file for which notification of the matters prescribed in paragraph (1) has been made or that personal information file comes to fall under item (ix) of the preceding paragraph, the head of the administrative organ must notify the Personal Information Protection Commission to that effect without delay.
(Preparation and Publication of Personal Information File Registers)
Article 75(1)An administrative organ's head or administrative entity must prepare and publish a register containing the matters listed in paragraph (1), items (i) through (vii) as well as items (ix) and (x) of the preceding Article and other matters as prescribed by Cabinet Order with regard to the respective personal information files held by the administrative entity to which the head or entity in question belongs (that register is hereinafter referred to as the "personal information file register" in this Chapter).
(2)The provisions of the preceding paragraph do not apply to the personal information file set forth in the following:
(i)a personal information file set forth in items (i) through (x) of paragraph (2) of the preceding Article;
(ii)a personal information file which contains all or a part of the recorded information contained in another personal information file subject to the publication prescribed in the preceding paragraph, if its purpose of use, recorded matters, and scope of record are within the scope of those subject to that publication;
(iii)a personal information file designated by Cabinet Order as being equivalent to the personal information file listed in the preceding item.
(3)Notwithstanding the provisions of paragraph (1), if an administrative organ's head or administrative entity finds that inclusion of a part of the recorded particulars, the matters listed in paragraph (1), item (v) or (vii) of the preceding Article, or a personal information file in the personal information file register is likely to particularly hinder the proper execution of processes or services in relation to the purpose of use due to their nature, the administrative organ's head or administrative entity may refrain from including that part of the recorded particulars, the matters listed in those items, or the personal information file in the personal information file register.
(4)With regard to applying the provision of paragraph (1) related to a local government organ or a local incorporated administrative agency, the term "other matters as prescribed by Cabinet Order with regard to the respective personal information files held by the organ to which the head belongs" in that paragraph is replaced with "other matters as prescribed by Cabinet Order with regard to the respective personal information files held by the organ to which the head belongs, and also congaing an indication that it includes sensitive personal information prescribed by local ordinance, if that is the cases".
(5)The provisions of each preceding paragraph do not preclude a local government organ or a local incorporated administrative agency from preparing and publishing a register that is different from the personal information file register and contains matters regarding the status of holding personal information, as prescribed by local ordinance.
Section 4 Disclosure, Corrections and Ceasing to Use
Subsection 1 Disclosure
(Right to Request Disclosure)
Article 76(1)Any person may request that an administrative organ's head or administrative entity disclose personal information by which that person is identifiable and that is held by the administrative entity to which the head or entity in question belongs, pursuant to the provisions of this Act.
(2)A legal representative of a minor or adult ward, or an agent privately appointed by the identifiable person (hereinafter collectively referred to as an "agent" in this Section) may make a request for disclosure (hereinafter referred to as a "request for disclosure" in this Section and Article 127) provided in the preceding paragraph on behalf of that person.
(Procedures for Requests for Disclosure)
Article 77(1)A request for disclosure must be made by submitting a document containing the matters listed in the following items (hereinafter referred to as a "written request for disclosure" in paragraph (3)) to the administrative organ's head or administrative entity:
(i)the name and address or residence of the person making the request for disclosure;
(ii)the name of the administrative or similar document containing the personal information the administrative entity holds which is subject to the request for disclosure, or other matters sufficient for identifying that information subject to the request.
(2)In the case referred to in the preceding paragraph, as prescribed by Cabinet Order, the person making the request for disclosure must present or submit a document to indicate that the person is the person identifiable by the personal information the administrative entity holds that is subject to the request for disclosure (or the agent of the person, in the case of a request for disclosure under paragraph (2) of the preceding Article).
(3)If an administrative organ's head or administrative entity finds a formal deficiency in a written request for disclosure, they may ask the person who made the request for disclosure (hereinafter referred to as a "person requesting disclosure" in this Section) to amend the request, by setting a reasonable period of time. In this case, the administrative organ's head or administrative entity must endeavor to provide the person requesting disclosure with information that is helpful in the amendment.
(Obligation to Disclose Personal Information an Administrative Entity Holds)
Article 78(1)If a request for disclosure is filed, unless any of the information listed in each of the following items (hereinafter referred to as "non-disclosure information" in this Section) is recorded in the personal information the administrative entity holds which is subject to the request for disclosure, the administrative organ's head or administrative entity must disclose that information to the person requesting disclosure:
(i)information that is likely to cause harm to the life, wellbeing, livelihood or property of the person requesting disclosure (or of the identifiable person, if an agent makes a request for disclosure on behalf of that person pursuant to Article 76, paragraph (2); the same applies in the following item and item (iii) of this Article, paragraph (2) of the following Article, and Article 80, paragraph (1));
(ii)Information concerning an individual other than the person requesting disclosure (excluding information concerning the business conducted by an individual) by which a specific individual other than the person requesting disclosure is identifiable from a name, date of birth or other identifiers or their equivalent contained in that information (including cases in which it is possible to identify a specific individual other than the person requesting disclosure through comparing that information with other information); which contains an individual identification code; or whose disclosure is likely to cause harm to the rights and interests of an individual other than the person requesting disclosure, if it is not possible to identify a specific individual other than the person requesting disclosure; provided, however, that the following information is excluded;
(a)information that can be made available to or is scheduled to be made available to the person requesting disclosure pursuant to the provisions of laws and regulations or by established practice;
(b)information which is found necessary to be disclosed in order to protect a person's life, wellbeing, livelihood or property;
(c)the part of the relevant information relating to the job of a public officer or similar employee (meaning a national public officer prescribed in Article 2, paragraph (1) of the National Public Officer Act (Act No. 120 of 1947) (excluding employees of an agency engaged in administrative execution prescribed in Article 2, paragraph (4) of the Act on General Rules for Incorporated Administrative Agency), employee of an incorporated administrative agency or other prescribed corporation, local public officer prescribed in Article 2 of the Local Public Officer Act (Act No. 261 of 1950), or employee of a local incorporated administrative agency) and the substance of the performance of their duties, if the relevant individual is a public officer, and that information relates to the performance of the duties;
(iii)the following information concerning corporations or other entities (excluding the State, incorporated administrative agency or other prescribed corporation, local public entity, and local incorporated administrative agency; hereinafter referred to as a "corporation or similar entity" in this item) or concerning the business that an individual other than the person requesting disclosure conducts; provided, however, that information which is found necessary to be disclosed in order to protect a person's life, wellbeing, livelihood, or property is excluded;
(a)information whose disclosure is likely to cause harm to the rights, competitive position, or other legitimate interests of the relevant corporation or similar entity or of the relevant individual;
(b)information customarily not disclosed by the corporation or similar entity or by the relevant individual, which has been voluntarily provided in response to a request by an administrative entity on the condition of non-disclosure, or information for which it is found reasonable to set that condition in light of the nature of the information or the circumstances at the time;
(iv)information for which there are reasonable grounds for the head of an administrative organ to find that its disclosure is likely to cause harm to national security, cause damage to the relationship of mutual trust with another country or an international organization, or cause a disadvantage in negotiations with another country or an international organization, if the head of the administrative organ makes a decision set forth in each paragraph of Article 82 (hereinafter referred to as a "decision on disclosure" in this Section);
(v)information for which there are reasonable grounds for the head of an administrative organ or the local government organ (limited to a prefectural government agency) to find that its disclosure is likely to hinder prevention, suppression or the investigation of crimes, keeping prosecutions, the execution of punishment, and other matters concerning upholding public safety and public order, if the head of the administrative organ or the local government organ makes a decision on disclosure;
(vi)information concerning deliberations, examinations or consultations conducted in a national government organ, incorporated administrative agency or other prescribed corporation, local government and local incorporated administrative agency, or conducted mutually between them, if its disclosure is likely to cause unjust harm to the frank exchange of opinions or the neutrality of decision making, unreasonably cause confusion among the people, or unjustly bring advantages or disadvantages to specific persons;
(vii)information concerning the processes or service conducted by a national government organ, an incorporated administrative agency or other prescribed corporation, a local government, or a local incorporated administrative agency, if its disclosure is likely to have the following risks or is likely to hinder the proper execution of the processes or service due to their nature;
(a)risk of causing harm to national security, damage to the relationship of mutual trust with another country or an international organization, or a disadvantage in negotiations with another country or an international organization, if an incorporated administrative agency or other prescribed corporation, a local government organ, or a local incorporated administrative agency make a decision on disclosure;
(b)risk of hindering prevention, suppression or the investigation of crimes, keeping prosecutions, the execution of punishment, and other matters concerning upholding public safety and public order, if an incorporated administrative agency or other prescribed corporation, a local government organ (excluding a prefectural government agency), or a local incorporated administrative agency make a decision on disclosure;
(c)risk of making it difficult to accurately understand facts concerning processes relating to audits, inspections, supervision, examinations, or the imposition or collection of tax; facilitating illegal or wrongful acts regarding those processes; or making it difficult to detect those acts;
(d)risk of causing unjust damage to the property benefit, or the position as an interested party, of the State, an incorporated administrative agency or other prescribed corporation, a local government, or a local incorporated administrative agency concerning processes relating to contracts, negotiations, or administrative appeals and litigation;
(e)risk of causing unjust hindrance to the fair and efficient execution of processes relating to research and study;
(f)risk of causing hindrance to keeping impartial and smooth personnel practices in processes relating to personnel management;
(g)risk of causing damage to the legitimate interests arising from corporate management with regard to the service of an incorporated administrative agency or other prescribed corporation, of a business operated by a local government, or of a local incorporated administrative agency.
(2)With regard to applying the provision of the preceding paragraph related to a local government organ or a local incorporated administrative agency, the phrase "information listed in each of the following items (" in that paragraph is deemed to be replaced with "information listed in each of the following items (excluding information prescribed by local ordinance as information that is to be disclosed pursuant to the provisions of the information disclosure ordinance) or information equivalent to non-disclosure information prescribed in Article 5 of the Administrative Organs Information Disclosure Act, which is not disclosed in the information disclosure ordinance, and which is prescribed by the ordinance as information that needs to be non-disclosed in order to ensure consistency with that information disclosure ordinance (".
(Partial Disclosure)
Article 79(1)If non-disclosure information is included in personal information an administrative entity holds that is subject to a request for disclosure, and it is possible to easily separate and exclude the part that constitutes non-disclosure information from the personal information, the administrative organ's head or administrative entity must disclose the part from which the part that constitutes non-disclosure information has been excluded to the person requesting disclosure.
(2)If the information set forth in paragraph (1), item (ii) of the preceding Article (limited to information that can be used to identify a specific individual other than the person requesting disclosure) is included in personal information an administrative entity holds that is subject to a request for disclosure, and it is found that disclosure of the information would not be likely to cause damage to the rights and interests of a person other than the person requesting disclosure if the part in the information that constitutes a name, date of birth, or other identifiers or their equivalent that can be used to identify a specific individual other than the person requesting disclosure, or that constitutes an individual identification code were excluded from that information, the other part in the information from which the part mentioned above has been excluded is deemed not to be included in the information set forth in that item, and the provisions of the preceding paragraph apply to it.
(Discretionary Disclosure)
Article 80Even if non-disclosure information is included in personal information an administrative entity holds that is subject to a request for disclosure, the administrative organ's head or administrative entity may disclose the personal information the administrative entity holds to the person requesting disclosure, if they finds it particularly necessary to do so for protecting the individual rights and interests.
(Information on the Existence of Personal Information an Administrative Entity Holds)
Article 81If non-disclosure information is supposed to be disclosed by merely answering whether or not personal information an administrative entity holds that is subject to a request for disclosure exists, the administrative organ's head or administrative entity may refuse the request for disclosure, without making the existence or non-existence of that personal information clear.
(Measures on Requests for Disclosure)
Article 82(1)When disclosing all or a part of personal information an administrative entity holds that is subject to a request for disclosure, the administrative organ's head or administrative entity must make a decision to that effect, and notify the person requesting disclosure of that decision, the purpose of use of that personal information to be disclosed, and matters specified by Cabinet Order relating to the implementation of disclosure in writing; provided, however, that this does not apply to the purpose of use in cases that fall under Article 62, item (ii) or item (iii).
(2)If an administrative organ's head or administrative entity decides not to disclose any personal information the administrative entity holds that is subject to a request for disclosure (this includes the cases in which the administrative organ's head or administrative entity refuses a request for disclosure pursuant to the provisions of the preceding Article or does not hold that personal information), the administrative organ's head or administrative entity must notify the person requesting disclosure to that effect in writing.
(Due Date of a Decisions on Disclosure)
Article 83(1)Decisions on disclosure must be made within thirty days from the date of the request for disclosure; provided, however, that if an amendment is requested pursuant to the provisions of Article 77, paragraph (3), the number of days required for the amendment is not included within that period of time.
(2)Notwithstanding the provisions of the preceding paragraph, if there are justifiable grounds such as difficulties arising from conducting processes, an administrative organ's head or administrative entity may extend the period of time prescribed in that paragraph for up to thirty days. In this case, the administrative organ's head or administrative entity must notify the person requesting disclosure in writing of the extended period and the grounds for the extension, without delay.
(Exception to the Due Date for Decisions on Disclosure)
Article 84Notwithstanding the provisions of the preceding Article, if there is a considerably large amount of personal information an administrative entity holds that is subject to a request for disclosure, and there would be a risk that the performance of duties is considerably hindered if a decision on disclosure were made on all of those requests within sixty days from the date of a request for disclosure, it is sufficient for the administrative organ's head or administrative entity to make a decision on disclosure for a reasonable portion of the personal information the administrative entity holds for which disclosure has been requested within that period of time, and to make a decision on disclosure for the remaining personal information within a reasonable period of time. In this case, the administrative organ's head or administrative entity must notify the person requesting disclosure of the following matters in writing within the period of time prescribed in paragraph (1) of that Article:
(i)the application of this Article and the grounds for its application;
(ii)due date for making a decision on disclosure for the remaining personal information the administrative entity holds.
(Transfer of Cases)
Article 85(1)An administrative organ's head or administrative entity may transfer the case to another head or entity upon consulting with them, if the personal information the administrative entity holds that is subject to a request for disclosure has been provided by an administrative entity other than one to which the head or entity in question belongs, or there are justifiable grounds for that other head or entity to make a decision on disclosure. In this case, the administrative organ's head or administrative entity that has transferred the case must notify the person requesting disclosure in writing to the effect that the case has been transferred.
(2)If a case has been transferred pursuant to the provisions of the preceding paragraph, an administrative organ's head or administrative entity to which the case has been transferred must make a decision on disclosure in relation to the relevant request for disclosure. In this case, actions that the administrative organ's head or administrative entity that has transferred the case has made prior to the transfer are deemed to be those that the administrative organ's head or administrative entity to which the case has been transferred has made.
(3)In the case referred to in the preceding paragraph, if the administrative organ's head or administrative entity to which the case has been transferred makes a decision set forth in Article 82, paragraph (1) (hereinafter referred to as a "decision to disclose" in this Section), the administrative organ's head or administrative entity must implement the disclosure. In this case, the administrative organ's head or administrative entity that has transferred the case must cooperate as necessary in the implementation of that disclosure.
(Granting Third Parties an Opportunity to Submit a Written Opinion)
Article 86(1)If information on a person other than the State, an incorporated administrative agency or other prescribed corporation, a local government, a local incorporated administrative agency, or a person requesting disclosure (hereinafter referred to as a "third party" in this Article, Article 105, paragraph (2), item (iii), and Article 107, paragraph (1)) is included in the personal information an administrative entity holds that is subject to a request for disclosure, the administrative organ's head or administrative entity may notify the third party of the content of the information on that third party, and other matters specified by Cabinet Order, and may grant an opportunity to submit a written opinion, pursuant to the provisions of Cabinet Order, when making a decision on disclosure.
(2)In the cases that fall under any of the following items, before making a decision to disclose, an administrative organ's head or administrative entity must notify the third party in writing of the content of the information on the third party that is subject to a request for disclosure and other matters specified by Cabinet Order, and grant that third party an opportunity to submit a written opinion, pursuant to the provisions of Cabinet Order; provided, however, that this does not apply to cases in which the third party's location is unknown:
(i)personal information an administrative entity holds that contains information on a third party is to be disclosed, and it is found that the information on that third party falls under the information prescribed in Article 78, paragraph (1), item (ii), (b) or in the proviso of item (iii) of that paragraph;
(ii)personal information an administrative entity holds that contains information on a third party is to be disclosed pursuant to the provisions of Article 80.
(3)If the third party that was granted an opportunity to submit a written opinion pursuant to the provisions of the preceding two paragraphs has submitted a written opinion manifesting the intention to oppose disclosure of the information concerning the third party, but the administrative organ's head or administrative entity makes a decision to disclose, the head or entity must place at least two weeks between the day of the decision to disclose and the day on which the disclosure will be implemented. In this case, upon making the decision to disclose, the administrative organ's head or administrative entity must immediately notify the third party that submitted that written opinion (referred to as a "written opposition opinion" in Article 105) in writing to the effect that the decision to disclose was made, of the grounds for its decision, and of the date on which the disclosure will be implemented.
(Implementing Disclosure)
Article 87(1)The disclosure of personal information an administrative entity holds is implemented through inspection or by the delivery of copies, if that personal information is contained in the form of documents or drawings; or by means designated by the administrative organ's head or administrative entity in consideration of the type of the record, the state of its digitalization, and other factors, if that personal information is contained in the electronic or magnetic records; provided, however, that if disclosure of personal information an administrative entity holds is to be implemented through inspection, and if the administrative organ's head or administrative entity finds that inspection of the original material is likely to hinder the preservation of the documents or pictures that contain the personal information, or there are other justifiable grounds for doing so, the disclosure of the personal information may be implemented through inspection of a copy of the documents or drawings.
(2)An administrative entity must make its rules on the means of disclosure for electronic or magnetic records based on the preceding paragraph available for public inspection.
(3)A person to whom personal information an administrative entity holds is disclosed based upon a decision to disclose must indicate the means of implementing the disclosure that the person requests and other matters prescribed by Cabinet Order to the administrative organ's head or administrative entity that has made the decision to disclose, pursuant to the provisions of Cabinet Order.
(4)The indication under the preceding paragraph must be made within thirty days from the date of the notice prescribed in Article 82, paragraph (1); provided, however, this does not apply if there are justifiable grounds for being unable to make the indication within that period of time.
(Coordination with Disclosure Implemented by Other Laws and Regulations)
Article 88(1)Notwithstanding the main clause of paragraph (1) of the preceding Article, if personal information an administrative entity holds that is subject to a request for disclosure is to be disclosed to the person requesting disclosure by the same means as those prescribed in the main clause of that paragraph pursuant to the provisions of other laws and regulations (only within the period of time for disclosure, if it is specified), the administrative organ's head or administrative entity does not disclose the personal information the administrative entity holds by that same means; provided, however, that this does not apply when there are those provisions in other laws and regulations to the effect that disclosure is not implemented in certain cases.
(2)If the means of disclosure designated by the provisions of other laws and regulations is public inspection, that public inspection is deemed to be inspection referred to in the main clause of paragraph (1) of the preceding Article, and the provisions of the preceding paragraph apply.
(Fees)
Article 89(1)A person that makes a request for disclosure to the head of an administrative organ must pay a fee prescribed by Cabinet Order within the actual cost, pursuant to the provisions of Cabinet Order.
(2)A person that makes a request for disclosure to a local government organ must pay a fee specified by local ordinance within the actual cost, as prescribed by local ordinance.
(3)When the amount of the fee referred to in the preceding two paragraphs is established, consideration must be given to making the amount as affordable as possible.
(4)A person that makes a request for disclosure to an incorporated administrative agency or other prescribed corporation must pay a fee specified by the incorporated administrative agency or other prescribed corporation.
(5)An incorporated administrative agency or other prescribed corporation specifies the amount of the fee referred to in the preceding paragraph within the actual cost, taking the amount of the fee referred to in paragraph (1) into consideration.
(6)An incorporated administrative agency or other prescribed corporation must make the rules under the preceding two paragraphs available for general inspection.
(7)A person that makes a request for disclosure to a local incorporated administrative agency must pay a fee specified by the local incorporated administrative agency.
(8)A local incorporated administrative agency specifies the amount of the fee referred to in the preceding paragraph within the actual cost, taking the amount of the fee referred to in paragraph (2) into consideration.
(9)A local incorporated administrative agency must make the rules under the preceding two paragraphs available for general inspection.
Subsection 2 Correction
(Right to Request Correction)
Article 90(1)Any person who thinks that the content of personal information an administrative entity holds by which that person is identifiable (the information is limited to the following; the same applies in Article 98, paragraph (1)) is untrue may make a request for correction (including addition or deletion; hereinafter the same applies in this Section) of the personal information to the administrative organ's head or administrative entity that holds it, pursuant to the provisions of this Act; provided, however, that this does not apply if a special procedure for correction of the personal information the administrative entity holds is prescribed by other laws and regulations:
(i)personal information the administrative entity holds that has been disclosed based on a decision to disclose;
(ii)personal information the administrative entity holds that is subject to a decision to disclose, and has been disclosed pursuant to the provisions of other laws and regulations as provided for in Article 88, paragraph (1).
(2)An agent may make a request for correction (hereinafter referred to as a "request for correction" in this Section and Article 127) as prescribed in the preceding paragraph on behalf of the identifiable person.
(3)A request for correction must be made within ninety days from the date of disclosure of personal information an administrative entity holds.
(Procedures for Requests for Correction)
Article 91(1)A document describing the matters listed in the following (referred to as a "written request for correction" in paragraph (3)) must be submitted to an administrative organ's head or administrative entity for a request for correction:
(i)the name and address or residence of the person making a request for correction;
(ii)the date of disclosure of the personal information the administrative entity holds that is subject to the request for correction and other matters sufficient for specifying the personal information the administrative entity holds;
(iii)an outline of the request for correction and the grounds for it.
(2)In the case referred to in the preceding paragraph, a person making a request for correction must present or submit a document to indicate that the person is identifiable by the information an administrative entity holds that is subject to the request for correction (or the in the case of a request for correction under paragraph (2) of the preceding Article, the agent of the identifiable person), pursuant to the provisions of Cabinet Order.
(3)If an administrative organ's head or administrative entity finds a formal deficiency in a written request for correction, the administrative organ's head or administrative entity may ask the person who made the request for correction (hereinafter referred to as a "person requesting correction" in this Section) to amend the request, by setting a reasonable period of time.
(Obligation to Correct Personal Information an Administrative Entity Holds)
Article 92If a request for correction is filed and an administrative organ's head or administrative entity finds that there are grounds for that request for correction, they must correct the personal information the administrative entity holds that is subject to the request for correction within the scope necessary for achieving the purpose of use of that personal information.
(Measures Concerning a Request for Correction)
Article 93(1)When correcting the personal information an administrative entity holds that is subject to a request for correction, the administrative organ's head or administrative entity must make a decision to that effect, and notify the person requesting correction of that decision in writing.
(2)When not correcting the personal information an administrative entity holds that is subject to a request for correction, the administrative organ's head or administrative entity must make a decision to that effect, and notify the person requesting correction of that decision in writing.
(Due Date for Decisions on Correction)
Article 94(1)The decisions referred to in the items of the preceding Article (hereinafter referred to as a "decisions on correction" in this Section) must be made within thirty days from the date of a request for correction; provided, however, that if an amendment is requested pursuant to the provisions of Article 91, paragraph (3), the number of days required for that amendment is not included within this period of time.
(2)Notwithstanding the provisions of the preceding paragraph, if there are justifiable grounds such as difficulties arising from conducting processes, an administrative organ's head or administrative entity may extend the period of time prescribed in that paragraph for up to thirty days. In this case, the administrative organ's head or administrative entity must notify the person requesting correction in writing of the extended period and the grounds for the extension.
(Exceptions to the Due Date for Decisions on Correction)
Article 95Notwithstanding the provisions of the preceding Article, if an administrative organ's head or administrative entity finds that to make a decision on correction would require a particularly long period of time, it is sufficient for them to make a decision on correction within a reasonable period of time. In this case, the administrative organ's head or administrative entity must notify the person requesting correction in writing of the following matters within the period of time prescribed in paragraph (1) of that Article:
(i)the application of this Article and the grounds for its application;
(ii)due date for making a decision on correction.
(Transfer of Cases)
Article 96(1)An administrative organ's head or administrative entity may transfer the case to another head or entity upon consulting them, if the personal information the administrative entity holds that is subject to a request for correction is disclosed pursuant to Article 85, paragraph (3), or there are justifiable grounds for that other head or entity to make a decision on correction. In this case, the administrative organ's head or administrative entity that has transferred the case must notify the person requesting correction to the effect that the case has been transferred in writing.
(2)If a case has been transferred pursuant to the provisions of the preceding paragraph, the administrative organ's head or administrative entity to which the case has been transferred must make a decision on correction in relation to the relevant request for correction. In this case, actions that the administrative organ's head or administrative entity that has transferred the case has made prior to the transfer are deemed to be those that the administrative organ's head or administrative entity to which the case has been transferred has made.
(3)In the case referred to in the preceding paragraph, when the administrative organ's head or administrative entity to which the case has been transferred makes a decision referred to in Article 93, paragraph (1) (hereinafter referred to as a "decision to make a correction" in this paragraph and the following Article), the administrative organ's head or administrative entity that has transferred the case must implement the correction based on that decision to make a correction.
(Notification to A Party to which Personal Information an Administrative Entity Holds is Provided)
Article 97If an administrative organ's head or administrative entity has implemented a correction of personal information the administrative entity holds based on a decision to make a correction, and the head or entity finds it necessary to do so, they must give a notification to that effect in writing without delay to a party to which the personal information the administrative entity holds has been provided.
Subsection 3 Ceasing to Use Personal Information an Administrative Entity Holds
(Right to Request Ceasing to Use Personal Information)
Article 98(1)Any person who thinks that personal information an administrative entity holds by which that person is identifiable falls under any of the following items may make a request for the measures specified in those items to the administrative organ's head or administrative entity that holds the personal information, pursuant to the provisions of this Act; provided, however, that this does not apply if a special procedure for ceasing to use personal information the administrative entity holds, deleting that personal information, or ceasing to provide that personal information (hereinafter referred to as "ceasing to use personal information" in this Section) is prescribed by other laws and regulations:
(i)if the personal information the administrative entity holds is held in violation of Article 61, paragraph (2), is handled in violation of Article 63, is acquired in violation of Article 64, or is used in violation of Article 69, paragraphs (1) and (2): ceasing to use or deleting that personal information;
(ii)if the personal information the administrative entity holds is provided in violation of Article 69, paragraphs (1) and (2) or Article 71, paragraph (1): ceasing to provide that personal information.
(2)An agent may make a request for ceasing to use personal information (hereinafter referred to as a "request for ceasing to use personal information" in this Section and Article 127) prescribed in the preceding paragraph on behalf of the identifiable person.
(3)A request for ceasing to use personal information must be made within ninety days from the date of disclosure of the personal information the administrative entity holds.
(Procedures for Request for Ceasing to Use Personal Information)
Article 99(1)For a request for ceasing to use personal information, a document describing the matters listed in the following (referred to as a "written request for ceasing to use personal information" in paragraph (3)) must be submitted to the administrative organ's head or administrative entity:
(i)the name and address or residence of the person making a request for ceasing to use personal information;
(ii)the date of disclosure of the personal information the administrative entity holds that is subject to the request for ceasing to use personal information, and other matters sufficient for specifying that personal information;
(iii)an outline of the request for ceasing to use personal information and the grounds for it.
(2)In the case referred to in the preceding paragraph, the person making a request for ceasing to use personal information must present or submit a document to indicate that the person is identifiable by the personal information the administrative entity holds that is subject to the request for the cessation (or the agent of the identifiable person, in the case of a request for ceasing to use personal information that is made pursuant to the provisions of paragraph (2) of the preceding Article).
(3)When an administrative organ's head or administrative entity finds that there is a formal deficiency of a written request for ceasing to use personal information, the head or entity may ask the person having made the request for ceasing to use personal information (hereinafter referred to as a "person making a request for ceasing to use personal information" in this Section) to amend that request, by setting a reasonable period of time.
(Obligation for Ceasing to Use Personal Information an Administrative Entity Holds)
Article 100When a request for ceasing to use personal information is filed, and an administrative organ 's head or administrative entity finds that there are grounds for the request, the head or entity must cease to use the personal information the administrative entity holds that is subject to the request within the scope necessary for ensuring the proper handling of personal information in the administrative entity to which the administrative organ's head or administrative entity belongs; provided, however, that this does not apply if it is found that ceasing to use the personal information the administrative entity holds is likely to hinder the proper execution of the process or service relating to the purpose of use of that personal information due to their nature.
(Measures on a Request for Ceasing to Use Personal Information)
Article 101(1)When ceasing to use personal information an administrative entity holds that is subject to a request for ceasing to use personal information, the administrative organ's head or administrative entity must make a decision to that effect, and notify the person making a request for the cessation to that effect in writing.
(2)When not ceasing to use personal information an administrative entity holds that is subject to a request for ceasing to use personal information, the administrative organ's head or administrative entity must make a decision to that effect, and notify the person making a request for the cessation to that effect in writing.
(Due Date for Decisions on Ceasing to Use Personal Information)
Article 102(1)A decision set forth in the paragraphs of the preceding Article (hereinafter referred to as a "decision on ceasing to use personal information" in this Section) must be made within thirty days from the date of a request for ceasing to use personal information; provided, however, that in cases in which an amendment is requested pursuant to the provisions of Article 99, paragraph (3), the number of days required for the amendment is not included within that period of time.
(2)Notwithstanding the provisions of the preceding paragraph, if there are justifiable grounds such as difficulties arising from conducting processes, an administrative organ's head or administrative entity may extend the period of time prescribed in that paragraph for up to thirty days. In this case, the administrative organ's head or administrative entity must notify the person making a request for ceasing to use personal information in writing of the extended period and the grounds for the extension, without delay.
(Exception to the Due Date for Decisions on Ceasing to Use Personal Information)
Article 103Notwithstanding the provisions of the preceding Article, if an administrative organ's head or administrative entity finds that making a decision on ceasing to use personal information would require a particularly long period of time, it is sufficient for them to make a decision on ceasing to use the personal information within a reasonable period of time. In this case, the administrative organ's head or administrative entity must notify the person making a request for ceasing to use the personal information in writing of the following matters within the period of time prescribed in paragraph (1) of that Article:
(i)the application of this Article and the grounds for its application;
(ii)the due date for making a decision on ceasing to use the personal information.
Subsection 4 Appeals for Review
(Exclusion from Application of Provisions Concerning Review Proceedings by Review Officers)
Article 104(1)The provisions of Article 9, Article 17, Article 24, Chapter II, Sections 3 and 4, and Article 50, paragraph (2) of the Administrative Complaint Review Act (Act No. 68 of 2014) do not apply to an appeal for review to any inaction of an administrative organ's head or administrative entity (excluding a local government organ or a local incorporated administrative agency; the same applies in the following paragraph and the following Article) in relation to a decision on disclosure, a decision on correction, a decision on ceasing to use personal information, or in relation to a request for disclosure, a request for correction, or a request for ceasing to use personal information.
(2)When applying the provisions in Chapter II of the Administrative Complaint Review Act to an appeal for review to any inaction of an administrative organ's head or administrative entity in relation to a decision on disclosure, a decisions on correction, a decision ceasing to use personal information, or in relation to a request for disclosure, a request for correction, or a request for ceasing to use personal information, the term "a person who has been designated pursuant to the provisions of Article 9, paragraph (1) (hereinafter referred to as a "review officer)" in Article 11, paragraph (2) of that Act is deemed to be replaced with "an administrative agency (including an administrative agency that takes over the appeal for review pursuant to the provisions in Article 14; hereinafter referred to as a "reviewing agency") to which an appeal for review has been filed pursuant to the provisions in Article 4 (including a Cabinet Order issued pursuant to Article 107, paragraph (2) of the Act on the Protection of Personal Information (Act No. 57 of 2003)"); the term "review officer" in Article 13, paragraphs (1) and (2) of that Act is deemed to be replaced with the term "reviewing agency"; the phrase "has been filed or a written opinion to suggest the necessity to order a stay of execution as prescribed in Article 40 has been submitted by a review officer" in Article 25, paragraph (7) of that Act is deemed to be replaced with "has been filed"; the term "Administrative Complaint Review Board, etc." in Article 44 of that Act is deemed to be replaced with "Information Disclosure and Personal Information Protection Review Board (or a review board specified by another law if the President of the Board of Audit is the reviewing agency, the same applies in Article 50, paragraph (1), item (iv))"; in that Article, the phrase "has received a report to its consultation from the Administrative Complaint Review Board, etc. (or when a review officer's written opinion has been submitted in cases in which the consultation pursuant to the provisions of paragraph (1) of the preceding Article is not necessary (excluding the cases falling under item (ii) or (iii) of that paragraph), or when deliberations prescribed in item (ii) or (iii) of that paragraph have been held in the cases falling under item (ii) or (iii) of that paragraph)" is deemed to be replaced with "has received a report to its consultation from the Administrative Complaint Review Board, etc."; and the term "the review officer's written opinion or the written report from the Administrative Complaint Review Board, etc. or the Council, etc." in Article 50, paragraph (1), item (iv) of that Article is deemed to be replaced with "the Information Disclosure and Personal Information Protection Review Board".
(Consultation with the Review Board)
Article 105(1)Except in the cases that fall under any of the following items, when an appeal for review is filed for any inaction related to a decision on disclosure, a decisions on correction, or a decision on ceasing to use personal information, or related to a request for disclosure, a request for correction, or a request for ceasing to use personal information, the administrative organ's head or administrative entity that is expected to make a determination on that appeal for review must consult the Information Disclosure and Personal Information Protection Review Board (or with a review board separately provided for by law, if the administrative organ's head or administrative entity that is expected to make a determination on the appeal is the President of the Board of Audit):
(i)if the appeal for review is unlawful and is to be dismissed;
(ii)if the whole appeal for review is upheld, and it is determined that all of the personal information the administrative entity holds that is subject to the appeal is to be disclosed (excluding cases in which a written opposition opinion has been submitted for the disclosure of the personal information the administrative entity holds);
(iii)if it is determined that the whole appeal for review is upheld and corrections to the personal information the administrative entity holds that is subject to the appeal are made;
(iv)if it is determined that the whole appeal for review is accepted and the use of the personal information the administrative entity holds that is subject the appeal is to cease.
(2)An administrative organ's head or administrative entity that has made a consultation pursuant to the provisions of the preceding paragraph must notify the following persons to that effect:
(i)an appellant and an intervenor (meaning an intervenor as prescribed in Article 13, paragraph (4) of the Administrative Complaint Review Act; hereinafter the same applies in this paragraph and Article 107, paragraph (1), item (ii));
(ii)a person requesting disclosure, a person requesting correction, or a person making a request for ceasing to use personal information (excluding cases in which that person is an appellant or an intervenor);
(iii)a third party that has submitted a written opposition opinion regarding a disclosure of personal information an administrative entity holds that is subject to the appeal for review (excluding cases in which that third party is an appellant or an intervenor).
(3)The provisions of the preceding two paragraphs apply mutatis mutandis to a local government organ or a local incorporated administrative agency. In this case, the phrase "Information Disclosure and Personal Information Protection Review Board (or with a review board separately provided for by law, if the administrative organ's head or administrative entity that is expected to make a determination on the appeal is the President of the Board of Audit" in paragraph (1) is replaced with "organ referred to in Article 81, paragraph (1) or paragraph (2) of the Administrative Complaint Review Act".
(Exclusion from Application of Provisions Concerning Review Proceedings by Review Officers for Local Government Organs)
Article 106(1)The provisions of Article 9, paragraphs (1) through (3), Article 17, Article 40, Article 42, Chapter II, Section 4, and Article 50, paragraph (2) of the Administrative Complaint Review Act do not apply to an appeal for review to any inaction of a local government organ or a local incorporated administrative agency in relation to a decision on disclosure, a decision on correction, a decision on ceasing to use personal information, or in relation to a request for disclosure, a request for correction, or a request for ceasing to use personal information.
(2)With respect to the application of the provisions of the Administrative Complaint Review Act set forth in the left-hand column of the following table regarding an appeal for review to any inaction of a local government organ or a local incorporated administrative agency in relation to a decision on disclosure, a decision on correction, a decision on ceasing to use personal information, or in relation to a request for disclosure, a request for correction, or a request for ceasing to use personal information, the terms set forth in the middle column of that table that are used in these provisions are deemed to be replaced with the terms set forth in the right-hand column of that table; and any other necessary technical replacement of terms is specified by Cabinet Order.
Article 9, paragraph (4)
|
In the case prescribed in the preceding paragraph, if it is found necessary, the reviewing agency
|
If it is found necessary, the administrative agency that has received a request for review pursuant to Article 4 or ordinance based on the provision of Article 107, paragraph (2) of Act on the Protection of Personal Information (Act No.57 of 2003) (including an administrative agency that takes over the appeal for review pursuant to the provisions in Article 14; hereinafter referred to as a "reviewing agency")
|
Article 31, paragraph (1) as applied pursuant to the preceding paragraph following the deemed replacement of the terms
|
Article 31, paragraph (1) as applied pursuant to Article 106, paragraph (2) of that Act following the deemed replacement of the terms
|
|
Article 34 as applied pursuant to the preceding paragraph following the deemed replacement of the terms
|
Article 34 as applied pursuant to Article 106, paragraph (2) of that Act following the deemed replacement of the terms
|
|
Article 36 as applied pursuant to the preceding paragraph following the deemed replacement of the terms
|
Article 36 as applied pursuant to Article 106, paragraph (2) of that Act following the deemed replacement of the terms
|
|
Article 11, paragraph (2)
|
a person who has been designated pursuant to the provisions of Article 9, paragraph (1) (hereinafter referred to as a "review officer")
|
the reviewing agency
|
Article 13, paragraph (1) and (2), Article 28, Article 30, Article 31, Article 32, paragraph (3), Articles 33 through 37, Article 38, paragraphs (1) through (3) and (5), Article 39, and Article 41, paragraph (1) and (2)
|
review officer
|
reviewing agency
|
Article 25, paragraph (7)
|
When a petition for a stay of execution has been filed or a written opinion to suggest the necessity to order a stay of execution as prescribed in Article 40 has been submitted by a review officer
|
When a petition for a stay of execution has been filed
|
Article 29, paragraph (1)
|
When having been appointed by the reviewing agency, a review officer must immediately
|
When a request for review has been filed, except for the case of dismissing the request for review without prejudice pursuant to the provisions of Article 24, the reviewing agency must promptly
|
Article 29, paragraph (2)
|
A review officer
|
The reviewing agency that falls under any category other than the administrative agency, etc. reaching the disposition
|
administrative agency, etc. reaching the disposition to submit a written explanation
|
submission of a written explanation, and the reviewing agency that falls under the administrative agency, etc. reaching the disposition is to prepare a written explanation within an appropriate period of time
|
|
Article 29, paragraph (5)
|
a review officer
|
the reviewing agency
|
from the administrative agency, etc. reaching the disposition
|
from the administrative agency , etc.reaching the disposition or the reviewing agency has prepared a written explanation pursuant to the provisions of paragraph (2)
|
|
Article 30, paragraph (3)
|
intervenors and the administrative agency, etc. reaching the disposition
|
intervenors and the administrative agency, etc. reaching the disposition (when the administrative agency reaching the disposition falls under the reviewing agency, intervenors)
|
relevant requestor for review and the administrative agency, etc. reaching the disposition
|
relevant requestor for review and the administrative agency, etc. reaching the disposition (when the administrative agency reaching the disposition falls under the reviewing agency, the relevant requestor for review)
|
|
Article 31, paragraph (2)
|
all of the persons concerned with proceedings
|
all of the persons concerned with proceedings (when the administrative agency, etc. reaching the disposition falls under the reviewing agency, the relevant requestor for review and intervenors; hereinafter, the same applies in this Section and Article 50, paragraph (1), item (iii))
|
Article 41, paragraph (3)
|
a review officer
|
the reviewing agency
|
the review officer should promptly give a notice to the persons concerned with proceedings to inform them of the conclusion of the procedures for proceedings and the time when the written opinion of the review officer prescribed in paragraph (1) of the following Article and the case record (meaning the written request for review, written explanation, and other documents and articles pertaining to the case wherein the request for review has been filed, which are specified by Cabinet Order; the same applies in paragraph (2) of the following Article and Article 43, paragraph (2)) are scheduled to be submitted to the Reviewing Agency. The same applies when the scheduled time of submission is altered
|
the reviewing agency should promptly give a notice to the persons concerned with proceedings to inform them of the conclusion of the procedures for proceedings
|
|
Article 44
|
the Administrative Complaint Review Board, etc.
|
the organ set forth in Article 81, paragraph (1) or (2)
|
(or when a review officer's written opinion has been submitted in the case where the consultation pursuant to the provisions of paragraph (1) of the preceding Article is not necessary (excluding the cases falling under item (ii) or (iii) of the relavant paragraph), or when deliberations prescribed in item (ii) or (iii) of the relevant paragraph have been held in the cases falling under item (ii) or (iii) of the relevant paragraph)
|
[Deleted]
|
|
Article 50, paragraph (1), item(iv)
|
the review officer's written opinion or the written reply from the Administrative Complaint Review Board, etc. or the council, etc.
|
the written reply from the organ set forth in Article 81, paragraph (1) or (2)
|
Article 74 as applied mutatis mutandis in Article 81, paragraph (3)
|
the reviewing agency that has consulted with the board pursuant to the provisions of Article 43, paragraph (1)
|
the reviewing agency
|
(Procedures in Cases in Which an Appeal for Review from a Third Party is Dismissed)
Article 107(1)The provisions of Article 86, paragraph (3) apply mutatis mutandis to the cases in which the determination falls under any of the following items:
(i)a determination to dismiss without prejudice or dismiss with prejudice on the merits an appeal for review from a third party against a decision to disclose;
(ii)a determination that alters a decision on disclosure subject to an appeal for review (excluding a determination to disclose all of the personal information the administrative entity holds that is subject to a request for disclosure), and discloses the personal information relating to that appeal (limited to the case in which a third party intervenor has manifested an intention to oppose the disclosure of the information on that third party).
(2)With regard to an appeal for review to any inaction related to a decision on disclosure, a decision on correction, a decision on ceasing to use personal information, or related to a request for disclosure, a request for correction, or a request for ceasing to use personal information, the special provisions prescribed in Article 4 of the Administrative Complaint Review Act may be established as provided for by Cabinet Order (or as provided for by local ordinance, in cases of a local government organ or local incorporated administrative agency).
Subsection 5 Relationships with Local Ordinances
Article 108The provisions in this Section do not preclude a local government from providing necessary provisions by local ordinance regarding matters concerning the procedure for disclosing, correcting, or ceasing to use personal information an administrative entity holds, or for a request for review, unless they violate the provisions in this Section.
Section 5 Provision of Anonymized Personal Information Administrative Entities Hold.
(Preparation and Provision of Anonymized Personal Information Administrative Entities Hold)
Article 109(1)An administrative organ's head or administrative entity may prepare anonymized personal information the administrative entity holds (limited to information constituting anonymized personal information files the administrative entity holds; hereinafter the same applies in this Section) pursuant to the provisions of this Section.
(2)Except cases that fall under any of the following items, an administrative organ's head or administrative entity must not provide other persons with anonymized personal information the administrative entity holds:
(i)cases based on laws and regulations (including cases subject to the provisions of this Section);
(ii)cases in which the administrative organ's head or administrative entity is allowed to provide the personal information the administrative entity holds to a third party for a purpose of use, and the administrative organ's head or administrative entity seeks to provide the third party with anonymized personal information the administrative entity holds into which the personal information in question has been processed;
(3)Notwithstanding the provisions of Article 69 and except cases based on laws and regulations, an administrative organ's head or administrative entity must not personally use or provide other persons with deleted information (limited to information constituting personal information the administrative entity holds) for any purpose other than the purpose of use.
(4)The term "deleted information" in the preceding paragraph means an identifier or the equivalent or individual identification code deleted from personal information an administrative entity holds which was used to prepare anonymized personal information it holds.
(Registration of Matters Relating to the Requests for Proposals in Personal Information File Registers)
Article 110If an administrative organ's head or administrative entity finds that a personal information file held by the administrative entity to which the head or entity in question belongs falls under all of the items in Article 60, paragraph (3), the following matters regarding that personal information file must be registered in the personal information file register; in applying the provisions in Article 75, paragraph (1) to that personal information file in this case, the term "item (x)" in that paragraph is deemed to be replaced with "item (x) and each item in Article 110":
(i)an indication that the personal information file is the subject matter of proposals requested under Article 112, paragraph (1);
(ii)the name and address of the organization receiving a proposal under Article 112, paragraph (1).
(Requesting Proposals)
Article 111As provided for by Order of the Personal Information Protection Commission, an administrative organ's head or administrative entity is to periodically request a proposal as specified in paragraph (1) of the following Article on a personal information file held by the administrative entity to which the head or entity in question belongs (limited to those for which matters listed in item (i) of the preceding Article are registered in the personal information file register; hereinafter the same applies in this Section).
(Proposals on the Business to be Conducted Using Anonymized Personal Information an Administrative Entity Holds)
Article 112(1)In response to a request under the preceding Article, if a person intends to use, for their business, anonymized personal information an administrative entity holds into which personal information constituting a personal information file it holds has been processed, that person may submit a proposal on their business to the administrative organ's head or administrative entity.
(2)A written document stating all of the following matters must be submitted to the administrative organ's head or administrative entity according to Order of the Personal Information Protection Commission for the proposal referred to in the preceding paragraph:
(i)the name and address of the person submitting the proposal, and the name of the representative if the person is a corporation or any other organization;
(ii)the name of the personal information file relating to the proposal;
(iii)the number of persons identifiable by the anonymized personal information the administrative entity holds that is related to the proposal;
(iv)beyond what is set forth in the preceding item, matters sufficient to identify the method of processing under Article 116, paragraph (1) that is used for preparing the anonymized personal information the administrative entity holds that is related to the proposal;
(v)the purpose and method of use of the anonymized personal information the administrative entity holds that is related to the proposal, and the description of the business in which the anonymized personal information the administrative entity holds is to be used;
(vi)the period during which the anonymized personal information the administrative entity holds that is related to the proposal is to be used for the business referred to in the preceding item;
(vii)measures to be taken for preventing the leaking and for other proper management of the anonymized personal information the administrative organ entity holds that is related to the proposal;
(viii)beyond what is set forth in each preceding item, matters prescribed by Order of the Personal Information Protection Commission.
(3)The documents referred to in the preceding paragraph must be accompanied by the documents listed below and other documents specified by Order of the Personal Information Protection Commission:
(i)a written pledge that the person making the proposal referred to in paragraph (1) does not fall under any of the items of the following Article;
(ii)a document making it clear that the business referred to in item (v) of the preceding paragraph contributes to the creation of new industries, the realization of a vibrant economic society, or enriching quality of life for the Japanese public.
(Grounds for Ineligibility)
Article 113A person falling under one of the following items may not make a proposal in paragraph (1) of the preceding Article:
(i)a minor;
(ii)any person specified by Order of the Personal Information Protection Commission as being unable to properly conduct business which uses anonymized personal information an administrative entity holds that is related to the proposal under paragraph (1) of the preceding Article due to a mental or physical disorder;
(iii)a person subject to an order commencing bankruptcy proceedings that has not been released from bankruptcy restrictions;
(iv)a person that has been sentenced to imprisonment or a heavier punishment or sentenced under the provisions of this Act, if two years have not yet elapsed since the date on which the person finished serving the sentence or was not subject to its enforcement;
(v)a person whose contract to use anonymized personal information that an administrative entity holds was canceled under Article 120, if two years have not yet elapsed since the date of the cancellation;
(vi)a person that is a corporation or any other organization, and has any of its officers falls under either of the condition referred to in one of the preceding items.
(Examination of Proposals)
Article 114(1)If a proposal referred to in Article 112, paragraph (1) is submitted, the administrative organ's head or administrative entity must examine whether it meets the following criteria:
(i)the person making the proposal referred to in Article 112, paragraph (1) does not fall under any of the items in the preceding Article;
(ii)the number of persons identifiable by the anonymized personal information the administrative entity holds that is related to the proposal referred to in Article 112, paragraph (2), item (iii) is equal to or more than the number specified by Order of the Personal Information Protection Commission from the viewpoint of effective use of that anonymized personal information, and is less than or equal to the number of persons identifiable by the personal information the administrative entity holds that constitutes the personal information file related to the proposal;
(iii)the processing method specified under Article 112, paragraph (2), items (iii) and (iv) conforms to the criteria referred to in Article 116, paragraph (1);
(iv)the business referred to in Article 112, paragraph (2), item (v) contributes to the creation of new industries, or the realization of a vibrant economic society, or enriching quality of life for the Japanese public;
(v)the period referred to in Article 112, paragraph (2), item (vi) does not exceed the period specified by Order of the Personal Information Protection Commission from the viewpoint of effective use of anonymized personal information the administrative entity holds;
(vi)the purpose and method of use of the anonymized personal information the administrative entity holds that is related to the proposal referred to in Article 112, paragraph (2), item (v), and the measures referred to in item (vii) of that paragraph are appropriate for protecting the rights and interests of persons identifiable by that anonymized personal information;
(vii)beyond what is set forth in each preceding item, the proposal conforms to the criteria prescribed by Order of the Personal Information Protection Commission.
(2)If, as a result of the examination under the preceding paragraph, the administrative organ's head or administrative entity finds that the proposal referred to in Article 112, paragraph (1) conforms to all of the criteria listed in the items of the preceding paragraph, the administrative organ's head or administrative entity is to notify the person that has submitted the proposal of the following matters, pursuant to the provisions of the Order of the Personal Information Protection Commission:
(i)an indication that the person may conclude a contract with the administrative organ's head or administrative entity for the use of the anonymized personal information the administrative entity holds, pursuant to the provisions of the following Article;
(ii)beyond what is set forth in the preceding item, matters prescribed by Order of the Personal Information Protection Commission.
(3)If, as a result of the examination under paragraph (1), the administrative organ's head or administrative entity finds that the proposal referred to in Article 112, paragraph (1) does not conform to one of the criteria listed in the items of paragraph (1), the administrative organ's head or administrative entity is to notify the person that has submitted the proposal to that effect, and the grounds for it, pursuant to the provisions of the Order of the Personal Information Protection Commission.
(Conclusion of a Contract for the Use of Anonymized Personal Information an Administrative Entity holds)
Article 115A person that has received a notice under paragraph (2) of the preceding Article may conclude a contract with an administrative organ's head or administrative entity for the use of the anonymized personal information the administrative entity holds, pursuant to the provisions of the Order of the Personal Information Protection Commission.
(Preparation of Anonymized Personal Information of an Administrative Entity)
Article 116(1)If an administrative organ's head or administrative entity prepares anonymized personal information the administrative entity holds, the administrative organ's head or administrative entity must process the personal information the administrative entity holds, in accordance with the criteria specified by Order of the Personal Information Protection Commission as necessary for making it impossible to identify a specific individual or to restore that personal information to its original state
(2)The provisions in the preceding paragraph apply mutatis mutandis if a person that an administrative entity has entrusted (including entrustment via two or more layers) with the preparation of the anonymized personal information it holds conducts that entrusted business.
(Registration of Matters Relating to Anonymized Personal Information an Administrative Entity Holds in the Personal Information File Register)
Article 117If an administrative organ's head or administrative entity prepares the anonymized personal information the administrative entity holds, the administrative organ's head or administrative entity must register the following matters in the personal information file register, for a personal information file that contains the personal information the administrative entity holds that has been used to prepare that anonymized personal information; in applying Article 75, paragraph (1) as applied pursuant to the provisions of Article 110 following the deemed replacement of the terms to the personal information file in this case, the term "and each item in Article 110" in that paragraph is deemed to be replaced with "each item in Article 110 and each item in Article 117.":
(i)matters to describe the outline of anonymized personal information the administrative entity holds, as specified by the Order of the Personal Information Protection Commission;
(ii)the name and address of the organization to which a proposal referred to in paragraph (1) of the following Article is given;
(iii)the period during which a proposal referred to in paragraph (1) of the following Article may be submitted.
(Proposal of Business to Be Conducted Using Prepared Anonymized Personal Information an Administrative Entity Holds)
Article 118(1)If a person intends to use, for their business, anonymized personal information an administrative entity holds for which matters set forth in item (i) of the preceding Article are registered in the personal information file register pursuant to the provisions of that Article, the person may submit a proposal on that business to the administrative organ's head or administrative entity. The same applies if a person has concluded a contract for the use of the anonymized personal information the administrative entity holds, pursuant to the provisions of Article 115, and seeks to alter the business for which the person will use that information.
(2)The provisions of Article 112, paragraphs (2) and (3), and Articles 113 through 115 apply mutatis mutandis to the proposal referred to in the preceding paragraph. In this case, the term "the following matters" in Article 112, paragraph (2) is deemed to be replaced with "matters prescribed in item (i), and items (iv) through (viii)"; the term "beyond what is set forth in the preceding item, matters" in item (iv) of that paragraph is deemed to be replaced with "matters" and the phrase "identify the processing method under Article 116, paragraph (1) that is used for preparing the anonymized personal information the administrative entity holds that is related to" is deemed to be replaced with "identify"; the phrase "in each preceding item" in item (viii) of that paragraph is deemed to be replaced with "in item (i) and items (iv) through (viii)"; the term "the following criteria" in Article 114, paragraph (1) is deemed to be replaced with "the criteria prescribed in item (i), and items (iv) through (vii)"; the term "each preceding item" in item (vii) of that paragraph is deemed to be replaced with "item (i) and the preceding three items"; the term "the items of the preceding paragraph" in paragraph (2) of that Article is deemed to be replaced with "item (i) and items (iv) through (vii) of the preceding paragraph"; the term "one of the criteria listed in the items of paragraph (1)" in paragraph (3) of that Article is deemed to be replaced with "one of the criteria listed in item (i) and items (iv) through (vii) of paragraph (1)".
(Fees)
Article 119(1)As prescribed by Cabinet Order, a person that concludes a contract with an administrative organ's head or administrative entity for the use of anonymized personal information an administrative entity holds, pursuant to the provisions of Article 115, must pay a fee specified by Cabinet Order in consideration of the actual cost.
(2)As prescribed by Cabinet Order, a person that concludes a contract with an administrative organ's head or administrative entity for the use of anonymized personal information an administrative entity holds, pursuant to the provisions of Article 115 as applied mutatis mutandis pursuant to paragraph (2) of the preceding Article, must pay a fee prescribed by Cabinet Order in consideration of the amount of the fee prescribed by Cabinet Order as provided for in the preceding paragraph.
(3)As prescribed by local ordinance, a person that concludes a contract with a local government organ for the use of anonymized personal information an administrative entity holds, pursuant to the provisions of Article 115, must pay a fee prescribed by local ordinance based on the amount prescribed by Cabinet Order in consideration of the actual cost.
(4)As prescribed by local ordinance, a person that concludes a contract with a local government organ for the use of anonymized personal information an administrative entity holds, pursuant to the provisions of Article 115 as applied mutatis mutandis pursuant to paragraph (2) of the preceding Article, must pay a fee specified by local ordinance based on the amount prescribed by Cabinet Order in consideration of the amount of the fee specified by Cabinet Order as provided for in the preceding paragraph.
(5)A person that concludes a contract with an incorporated administrative agency or other prescribed corporation for the use of anonymized personal information an administrative entity holds, pursuant to the provisions of Article 115 (including as applied mutatis mutandis pursuant to the provisions of paragraph (2) of the preceding Article; hereinafter that applies in paragraph (8) and the following Article), must pay a usage fee, as prescribed by the incorporated administrative agency or other prescribed corporation.
(6)An incorporated administrative agency or other prescribed corporation specifies the amount of the usage fee referred to in the preceding paragraph within a range which is found to be reasonable in consideration of the actual cost.
(7)The incorporated administrative agency or other prescribed corporation must make the rules under the preceding two paragraphs available for general inspection.
(8)A person that concludes a contract with a local incorporated administrative agency for the use of anonymized personal information an administrative entity holds, pursuant to the provisions of Article 115, must pay a fee specified by the local incorporated administrative agency.
(9)A local incorporated administrative agency specifies the amount of the fee referred to in the preceding paragraph in consideration of the actual cost and the amount of the fee set forth in local ordinance as provided for in paragraph (3) or paragraph (4).
(10)The local incorporated administrative agency must make the rules under the preceding two paragraphs available for general inspection.
(Cancellation of a Contract for the Use of Anonymized Personal Information an Administrative Entity Holds)
Article 120If a person that has concluded a contract for the use of anonymized personal information an administrative entity holds, pursuant to the provisions of Article 115, falls under one of the following items, the administrative organ's head or administrative entity may cancel the contract:
(i)the contract has been concluded by deception or other wrongful means;
(ii)the person falls under one of the items of Article 113 (including as applied mutatis mutandis pursuant to the provisions of Article 118, paragraph (2));
(iii)a serious breach of any provisions in the contract was committed.
(Prohibition of Identifying Persons)
Article 121(1)Except cases based on laws and regulations, in handling anonymized personal information an administrative entity holds, the administrative organ's head or administrative entity must not collate that anonymized personal information with other information in order to identify a person identifiable by personal information that was used to prepare that anonymized personal information.
(2)An administrative organ's head or administrative entity must take necessary measures for proper management of the anonymized personal information the administrative entity holds, deleted information prescribed in Article 109, paragraph (4), and information on the method of the processing as performed under Article 116, paragraph (1) (hereinafter referred to as "anonymized personal information and other related information of an administrative entity" in this Article and the following Article), in accordance with the criteria specified by Order of the Personal Information Protection Commission as necessary for preventing the leaking of anonymized personal information and other related information of an administrative entity.
(3)The provisions of the preceding two paragraphs apply mutatis mutandis if an administrative entity entrusts (including entrustment via two or more layers) a person to handle anonymized personal information and other related information of the administrative entity, and that person performs those entrusted activities.
(Employee's Obligations)
Article 122An employee or former employee of an administrative entity handling anonymized personal information and other related information of the administrative entity, a person engaged in or formerly engaged in the entrusted activities referred to in paragraph (3) of the preceding Article, or a staffing agency worker or former staffing agency worker that handles anonymized personal information and other related information of an administrative entity must not disclose anonymized personal information and other related information of an administrative entity acquired in the course of that person's work to other persons without reason, or use that information for an unjust purpose.
(Obligations on the Handling of Anonymized Personal Information)
Article 123(1)Except cases based on laws and regulations, before providing anonymized personal information (excluding anonymized personal information an administrative entity holds; hereinafter the same applies in this Article) to a third party, an administrative entity must disclose the categories of information on an individual that is contained in anonymized personal information it will provide to the third party, and the means of providing this, and state to that third party explicitly to the effect that the information it will provide is anonymized personal information, pursuant to Order of the Personal Information Protection Commission.
(2)Except cases based on laws and regulations, in handling anonymized personal information, an administrative entity must neither obtain information relating to the identifier or the equivalent, individual identification codes, or information on the method of processing as performed under Article 43, paragraph (1) that has been deleted from the personal information, nor collate that anonymized personal information with other information, in order to identify a person identifiable by the personal information that was used to prepare the anonymized personal information.
(3)An administrative entity must take necessary measures for proper management of the anonymized personal information in accordance with the criteria specified by Order of the Personal Information Protection Commission as necessary for preventing the leaking of anonymized personal information.
(4)The provisions of the preceding two paragraphs apply mutatis mutandis if an administrative entity entrusts (including entrustment via two or more layers) a person to handle its anonymized personal information and that person performs those entrusted activities.
Section 6 Miscellaneous Provisions
(Exclusion from Application)
Article 124(1)The provisions of Section 4 do not apply to personal information an administrative entity holds in relation to a judgment in a criminal case or juvenile protection case, a disposition executed by a public prosecutor, a public prosecutor's assistant officer, or judicial police personnel, execution of a punishment or protective measure, post-incarceration rehabilitation services, or pardon (limited to personal information an administrative entity holds in relation to a person on whom that judgment or measure was delivered, a person towards whom the punishment or protective measure was executed, a person who applied for post-incarceration rehabilitation services, or a person who filed a petition for pardon).
(2)Of the personal information an administrative entity holds (limited to information recorded in administrative or similar documents that exclusively contain the non-disclosure information prescribed in Article 5 of the Administrative Organs Information Disclosure Act, in Article 5 of the Administrative Organs Information Disclosure Act, or in the information disclosure ordinance), information that has yet to be classified or otherwise put in order and from which it is extremely difficult to retrieve particular personal information the administrative entity holds due to the existence of a very large amount of information relating to the same purpose of use is deemed as not being held by the administrative entity with respect to application of the provisions of Section 4 (excluding Subsection 4).
(Exception to Application)
Article 125(1)The provisions of this Chapter (excluding Section 1; Article 66, paragraph (1) as applied mutatis mutandis in paragraph (2) of that Article (limited to the part relating to items (iv) and (v) (limited to the part relating to item (iv) of that paragraph)); Article 75; the preceding two Sections; paragraph (2) of the preceding Article; and Article 127), Article 176, Article 180 (excluding the part relating to business prescribed in Article 66, paragraph (2), items (iv) and (v) (limited to the part relating to item (iv) of that paragraph)), and Article 181 do not apply to the handling of personal information, pseudonymized personal information or information related to personal information by a person set forth in one of those item of Article 58, paragraph (2) in the business prescribed in the those items.
(2)In cases of the handling of personal information or anonymized personal information by a person set forth in one of the items of Article 58, paragraph (1), a person set forth in item (i) of that paragraph is deemed to be an incorporated administrative agency or other prescribed corporation; a person set forth in item (ii) of that paragraph is deemed to be a local incorporated administrative agency; and the provisions of Section 1, Article 75, the preceding two Sections, paragraph (2) of the preceding Article, Article 127, and the following Chapter through Chapter 8 (excluding Article 176, Article 180 and Article 181) apply.
(3)To apply the provisions of Article 98 to a person set forth in one of the items of paragraph (1) and (2) of Article 58 (limited to cases in which business prescribed in one of the items of that paragraph is conducted), the phrase "is held in violation of Article 61, paragraph (2), is handled in violation of Article 63, is acquired in violation of Article 64, or is used in violation of Article 69, paragraphs (1) and (2)" in paragraph (1), item (i) of that Article is deemed to be replaced with "is held in violation of Article 18 or Article 19, or is obtained in violation of Article 20"; and the term "Article 69, paragraph (1) and (2) or Article 71, paragraph (1)" in item (ii) of that paragraph is deemed to be replaced with "Article 27, paragraph (1) or Article 28".
(Delegation of Authority or Processes)
Article 126The head of an administrative organ may delegate the authority or processes prescribed in Section 2 through the preceding Section (excluding Article 74 and Section 4, Subsection 4) to employees of that administrative organ, pursuant to Cabinet Order (or in the case of an organ established under the jurisdiction of the Cabinet o in the case of the Board of Audit, pursuant to an order of those organs).
(Provision of Information to a Person That Intends to Make a Request or Proposal)
Article 127In order to allow a person that intends to make a request for disclosure, a request for correction, a request for ceasing to use personal information, or a proposal under Article 112, paragraph (1) or Article 118, paragraph (1) (hereinafter referred to as a "request or proposal" in this Article) to make that request or proposal easily and appropriately, an administrative organ's head or administrative entity is to provide information that contributes to specifying the personal information held by the administrative entity to which the head or entity in question belongs, and is also to take other adequate measures in consideration of convenience for the person that intends to make the request or proposal.
(Complaint Processing on the Handling of Personal or Other Related Information by an Administrative Entity)
Article 128An administrative organ's head or administrative entity must endeavor to properly and expeditiously process a complaint on the handling of personal information, pseudonymized personal information or anonymized personal information in that administrative entity.
(Consultation with Council Established in a Local Government)
Article 129When implementing measures referred to in Section 3 of Chapter III, a local government organ may consult a council or other collegial body as prescribed by local ordinance, if it is found necessary to hear the opinion based on expertise in order to ensure the proper handling of personal information.
Chapter VI The Personal Information Protection Commission
Section 1 Establishment
(Establishment)
Article 130(1)The Personal Information Protection Commission (hereinafter referred to as the "Commission") is to be established based on the provisions of Article 49, paragraph (3) of the Act for Establishment of the Cabinet Office.
(2)The Commission belongs to the jurisdiction of the Prime Minster.
(Duties)
Article 131The Commission is to assume the duties of pursuing ensuring the proper handling of personal information (including taking measures such as giving guidance and advice to a person in charge of a process using an individual number, etc. (meaning a person in charge of a process using an individual number, etc. as prescribed in Article 12 of the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No.27 of 2013; hereinafter referred to as the "Number Use Act"))) in order to protect individual rights and interests while ensuring smooth and proper management of the processes or services of administrative entities as well as ensuring due consideration of the value of personal information, and the fact that the proper and effective application of personal information contributes to the creation of new industries and the realization of a vibrant economic society and enriching quality of life for the Japanese public.
(Functions under Jurisdiction)
Article 132The Commission is to administer the following affairs in order to fulfil the duties referred to in the preceding Article:
(i)affairs related to the formulation and promotion of a basic policy;
(ii)affairs (excluding those set forth in item (iv)) related to supervision of the handling of personal information by a business handling personal information, the handling of pseudonymized personal information by a business handling personal information or pseudonymized personal information, the handling of anonymized personal information by a business handling personal information or anonymized personal information, the handling of information related to personal information by a business handling information related to personal information; affairs related to monitoring over the handling of personal information, pseudonymized personal information, anonymized personal information and information related to personal information by an administrative entity; affairs related to necessary mediation on a lodged complaint related to the handling of personal information, pseudonymized personal information and anonymized personal information; and affairs related to cooperation with a business that deals with that complaint;
(iii)affairs related to a certified personal information protection organization;
(iv)affairs related to monitoring and supervision over the handling of specific personal information (meaning specific personal information prescribed in Article 2, paragraph (8) of the Number Use Act), and those related to necessary mediation on a lodged complaint and related to cooperation with a business that deals with the complaint;
(v)affairs related to specific personal information protection assessment (meaning specific personal information protection assessment prescribed in Article 27, paragraph (1) of the Number Use Act);
(vi)affairs related to public relations and an awareness raising on the protection of, and the proper and effective application of, personal information;
(vii)affairs related to an investigation and research necessary to administer those affairs set forth in one of the preceding items;
(viii)affairs related to international cooperation relating to the function under the jurisdiction;
(ix)beyond what is set forth in each preceding item, affairs which comes under the jurisdiction of the Commission based on a law (including an order based to it).
(Independence on Exercising Authority)
Article 133A chairperson and commissioners of the Commission exercise their official authority independently.
(Organization)
Article 134(1)The Commission is to be composed of a chairperson and eight commissioners.
(2)Four of the commissioners are to serve on a part-time basis.
(3)A chairperson and a commissioner are to be appointed by the Prime Minister with consent of both Houses of the Diet from among those with high character and deep insight.
(4)A chairperson and commissioners are to encompass a person who has relevant expertise on protection of personal information, and its proper and effective application; a person who has sufficient knowledge and experience to protect consumers; a person who has relevant expertise on information processing technologies; a person who has relevant expertise in public administrative fields; a person who has sufficient knowledge and experience on private-sector business practices; and a person recommended by a federate organization (meaning a federate organization under Article 263-3, paragraph (1) of the Local Autonomy Act that has given a notification under that paragraph).
(Term of Office)
Article 135(1)The term of office for a chairperson or commissioner is to be five years; provided, however, that the term of office of a chairperson or commissioner appointed to fill a vacancy is to be the remaining term of office of the predecessor.
(2)A chairperson or commissioner may be reappointed.
(3)When the term of office for a chairperson or commissioner has expired, the chairperson or commissioner is to continue to fulfil their duties until their successor is appointed.
(4)Notwithstanding the provisions of paragraph (3) of the preceding Article, if the term of office of a chairperson or commissioner has expired or a vacancy has occurred, but the consent of both Houses of the Diet is not able to be obtained due to the closing of the Diet or the dissolution of the House of Representatives, the Prime Minister may appoint a chairperson or commissioner from among those who have those qualifications prescribed in that paragraph.
(5)In the case referred to in the preceding paragraph, subsequent approval by both Houses of the Diet must be obtained in the first Diet session after the appointment. In this case, if the subsequent approval by both Houses of the Diet is not able to be obtained, the Prime Minister must immediately dismiss the chairperson or commissioner.
(Guarantee of Status)
Article 136Neither a chairperson nor a commissioner may be dismissed against their will while in office, except cases falling under one of the following items:
(i)they have been subject to an order commencing bankruptcy proceedings;
(ii)they have been punished in violation of this Act or the Number Use Act;
(iii)they having been sentenced to imprisonment without work or heavier punishment;
(iv)the Commission have recognized that they are incapable of fulfilling the duties because of a mental or physical disorder, or have committed a violation of obligation in the course of their duties or other misconduct unbecoming to a chairperson or commissioner.
(Dismissal)
Article 137If a chairperson or commissioner falls under one of the items of the preceding Article, the Prime Minister must dismiss the chairperson or commissioner.
(The Chairperson)
Article 138(1)A chairperson is to preside over rules and proceedings of the Commission and represent the Commission.
(2)The Commission must designate in advance from among full-time commissioners an acting chairperson in cases in which the chairperson is unavailable.
(Meetings)
Article 139(1)A meeting of the Commission is to be called by a chairperson.
(2)The Commission may neither hold a meeting nor make a decision, unless a chairperson and four or more commissioners are present.
(3)A decision of the Commission is to be adopted by a majority of attendees, and when in a tie, a chairperson is to make a decision.
(4)Notwithstanding the provisions of the preceding paragraph, there must be an unanimous concurrence of all commissioners on the recognition under Article 136, paragraph (4), except for the commissioner concerned.
(5)In applying the provisions of paragraph (2) in cases in which a chairperson is unavailable, an acting chairperson as prescribed in paragraph (2) of the preceding Article is deemed as a chairperson.
(Specialist Commissioners)
Article 140(1)A specialist commissioner may be assigned to the Commission in order to investigate specialized matters.
(2)A specialist commissioner is to be appointed by the Prime Minister based on a proposal made by the Commission.
(3)A specialist commissioner is to be dismissed when they finish their investigation into the specialized matters.
(4)A specialist commissioner is to serve on a part-time basis.
(The Secretariat)
Article 141(1)The secretariat is to be established for the purpose of administrating the Commission's affairs.
(2)The secretary general and other staff are to be assigned to the secretariat.
(3)The secretary general is to administer the secretariat's affairs in accordance with the order of the chairperson.
(Prohibition of Political Campaigning)
Article 142(1)Neither a chairperson nor a commissioner may become an officer of a political party or other political organization or actively conduct a political campaign, while in office.
(2)Except cases in which there has been permission from the Prime Minister, a chairperson or full-time commissioner, while in office, must not engage in any other jobs with remuneration, run a profit-making business, or perform other services for the purpose of gaining monetary profit.
(Confidentiality Obligations)
Article 143The chairperson, commissioners, specialist commissioners, and secretarial staff must not divulge or misappropriate any secret that have come to their knowledge in the course of duties. The same also applies after they have left their position.
(Remuneration)
Article 144The remuneration of the chairperson and commissioners is prescribed separately by law.
(Establishment of Orders)
Article 145The Commission may establish the Order of the Personal Information Protection Commission regarding its function under the jurisdiction in order to enforce a law or Cabinet Order, or on the basis of a special delegation under a law or Cabinet Order.
Section 2 Supervision and Monitoring
Subsection 1 Supervision of Businesses Handling Personal or Other Related Information
(Reports and On-Site Inspections)
Article 146(1)The Commission may require a business handling personal information, a business handling pseudonymized personal information, a business handling anonymized personal information, a business handling information related to personal information (hereinafter referred to as a "business handling personal or other related information" in this Subsection), or other concerned person to submit necessary information or material relating to the handling of personal information, pseudonymized personal information, anonymized personal information, or information related to personal information (hereinafter referred to as "personal or other related information" in this Subsection and Subsection 3), or have its officials enter a business office or other necessary place of a business handling personal or other related information or other concerned person, inquire about the handling of personal or other related information, or inspect a book, document, or other item, to the extent necessary to implement the provisions of Chapter IV (excluding Section 5; the same applies in the following Article and Article 151).
(2)An official who conducts an on-site inspection pursuant to the provisions of the preceding paragraph must carry a certificate for identification, and present it when requested by a person concerned.
(3)An on-site inspection authority under paragraph (1) must not be construed as granted for a criminal investigation.
(Guidance and Advice)
Article 147The Commission may provide a business handling personal or other related information with necessary guidance and advice on the handling of personal or other related information, to the extent necessary to implement the provisions of Chapter IV.
(Recommendations and Orders)
Article 148(1)The Commission may recommend a business handling personal or other related information to stop committing the following violations or take other necessary measures to rectify the violation, if the Commission finds that there is a need for protecting individual rights and interests in cases in which a business handling personal information has violated the provisions of Articles 18 through 20, Article 21 (including the cases in which the provisions of paragraphs (1), (3) and (4) are applied pursuant to the Article 41, paragraph (4) following the deemed replacement of terms), Articles 23 through 26, Article 27 (excluding paragraph (4), and including the cases in which the provisions of paragraphs (5) and (6) are applied pursuant to Article 41, paragraph (6) following the deemed replacement of terms), Article 28, Article 29 (including the cases in which the provisions of the proviso of paragraph (1) are applied pursuant to Article 41, paragraph (6) following the deemed replacement of terms), Article 30 (excluding paragraph (2), and including the cases in which the provisions of the proviso of paragraph (1) are applied pursuant to Article 41, paragraph (6) following the deemed replacement of terms), Article 32, Article 33 (excluding paragraph (1) (including as applied mutatis mutandis pursuant to paragraph (5))), Article 34, paragraph (2) or paragraph (3), Article 35 (excluding paragraphs (1), (3) and (5)), Article 38, paragraph (2), Article 41 (excluding paragraphs (4) and (5)) or Article 43 (excluding paragraph (6)); in cases in which a business handling information related to personal information has violated the provisions of Article 31, paragraph (1), has violated the provisions of Article 28, paragraph (3) as applied mutatis mutandis pursuant to Article 31, paragraph (2) following the deemed replacement of terms, or has violated the provisions of Article 30, paragraph (3) or paragraph (4) as applied mutatis mutandis pursuant to Article 31, paragraph (3) following the deemed replacement of terms; in cases in which a business handling pseudonymized personal information has violated the provisions of Article 42, paragraph (1), has violated Article 27, paragraph (5) or paragraph (6) as applied mutatis mutandis pursuant to Article 42, paragraph (2) following the deemed replacement of terms, or has violated the provisions of Articles 23 through 25 or Article 41, paragraph (7) or paragraph (8) as applied mutatis mutandis pursuant to Article 42, paragraph (3) following the deemed replacement of terms; or in cases in which a business handling anonymized personal information has violated the provisions of Article 44 or Article 45.
(2)If a business handling personal or other related information has received a recommendation under the preceding paragraph but has not taken measures in line with the recommendation without legitimate grounds, and the Commission finds that a serious infringement of individual rights and interests is impending, the Commission may order the business handling personal or other related information to take measures in line with the recommendation.
(3)Notwithstanding the provisions of the preceding two paragraphs, the Commission may order a business handling personal or other related information to stop the following violations or take other necessary measures to rectify the violation, if the Commission finds that there is a need to take urgent measures because there is a fact that seriously prejudices individual rights and interests in cases in which a business handling personal information has violated the provisions of Articles 18 through 20, Articles 23 through 26, Article 27, paragraph (1), Article 28, paragraph (1) or paragraph (3), Article 41, paragraphs (1) through (3), or paragraphs (6) through (8), or Article 43, paragraph (1), paragraph (2) or paragraph (5); in cases in which a business handling information related to personal information has violated the provisions of Article 31, paragraph (1), or has violated the provisions of Article 28, paragraph (3) as applied mutatis mutandis pursuant to Article 31, paragraph (2) following the deemed replacement of terms; in cases in which a business handling pseudonymized personal information has violated the provisions of Article 42, paragraph (1), or has violated the provisions of Articles 23 through 25 or Article 41, paragraph (7) or paragraph (8) as applied mutatis mutandis pursuant to Article 42, paragraph (3) following the deemed replacement of terms; or in cases in which a business handling anonymized personal information has violated the provisions of Article 45.
(4)If the Commission has issued an order under the preceding two paragraphs and the business handling personal or other related information that has received the order has violated the order, the Commission may make public announcement to that effect.
(Restriction on the Commission's Exercising the Authority)
Article 149(1)When requiring a business handling personal or other related information to submit a report or material, conducting its on-site inspection, or giving a guidance, advice, recommendation or order to it, pursuant to the provisions of the preceding three paragraphs, the Commission must not preclude the freedom of expression, freedom of academia, freedom of religion, and freedom of political activity.
(2)In light of the purport of the provisions of the preceding paragraph, the Commission is not to exercise its authority when a business handling personal or other related information provides personal or other related information to a person set forth in one of the items of Article 57, paragraph (1) (limited to cases in which the person handles personal or other related information for the purpose prescribed in those items).
(Delegation of the Authority)
Article 150(1)If the Commission finds that there is a need for effectively giving a business handling personal or other related information a recommendation under Article 148, paragraph (1) or order under Article 148, paragraph (2) or paragraph (3) because there is a need to urgently and intensively ensure the proper handling of personal or other related information or similar other circumstances prescribed by Cabinet Order, the Commission may delegate an authority under Article 26, paragraph (1); under Article 146, paragraph (1); under Article 99, Article 101, Article 103, Article 105, Article 106, Article 108 or Article 109 of the Code of Civil Procedure (Act No. 109 of 1996) as applied mutatis mutandis pursuant to the provisions of Article 162 following the deemed replacement of terms; under Article 163; and under Article 164 to the competent minister for the business, as prescribed by Cabinet Order.
(2)When having exercised an authority delegated pursuant to the provisions of the preceding paragraph, the competent minister for the business is to report its results to the Commission as prescribed by Cabinet Order.
(3)The competent minister for the business may delegate all or part of an authority delegated pursuant to the provisions of paragraph (1) or all or part of an authority under the preceding paragraph to the head of a local branch bureau under Article 43 of the Act for Establishment of the Cabinet Office or other bureau or organ prescribed by Cabinet Order, pursuant to the provisions of Cabinet Order.
(4)The Prime Minister delegates an authority delegated pursuant to the provisions of paragraph (1) and an authority under paragraph (2) (limited to those relating to the Financial Services Agency's jurisdiction and excluding those prescribed by Cabinet Order) to the Commissioner of the Financial Services Agency.
(5)The Commissioner of the Financial Services Agency may delegate a part of an authority delegated pursuant to the provisions of the preceding paragraph to the Securities and Exchange Surveillance Commission, pursuant to the provisions of Cabinet Order.
(6)The Commissioner of the Financial Services Agency may delegate a part of an authority delegated pursuant to the provisions of paragraph (4) (excluding those delegated to the Securities and Exchange Surveillance Commission pursuant to the provisions of the preceding paragraph) to the director-general of a local finance bureau or local finance branch bureau, pursuant to the provisions of Cabinet Order.
(7)The Securities and Exchange Surveillance Commission may delegate a part of an authority delegated pursuant to the provisions of paragraph (5) to the director-general of a local finance bureau or local finance branch bureau, pursuant to the provisions of Cabinet Order.
(8)As for administrative affairs relating to an authority delegated to the director-general of a local finance bureau or local finance branch bureau pursuant to the provisions of the preceding paragraph, the Securities and Exchange Surveillance Commission directs and supervises the director-general of a local finance bureau or local finance branch bureau.
(9)In the case referred to in paragraph (5), an appeal for review concerning the Securities and Exchange Surveillance Commission's requiring the submission of a report or material (including cases in which the director-general of a local finance bureau or local finance branch bureau does so pursuant to the provisions of paragraph (7)) may only be filed against the Securities and Exchange Surveillance Commission.
(Requests by the Competent Minister for the Business)
Article 151If the competent minister for the business finds that a business handling personal or other related information has committed an act violating the provisions of Chapter IV, or there is a need for ensuring the proper handling of personal or other related information by a business handling personal or other related information, the minister may request that the Commission take appropriate measures in accordance with the provisions of this Act.
(The Competent Minister for the Business)
Article 152The competent minister for the business in the provisions of this Subsection is as follows:
(i)the competent minister for the handling of personal or other related information by a business handling personal or other related information that is relating to employment management is: the Minister of Health, Labor and Welfare (or as for those relating to a mariner's employment management, the Minister of Land, Infrastructure, Transport and Tourism); and a minister having jurisdiction over the business conducted by the business handling personal or other related information, the National Public Safety Commission, or the Japan Casino Regulatory Commission (referred to collectively as the "minister or commission" in the following item);
(ii)the competent minister for the handling of personal or other related information by a business handling personal or other related information other than the ones set forth in the preceding item is: the minister or commission having jurisdiction over the business conducted by the business handling personal or other related information.
Subsection 2 Supervision of Certified Personal Information Protection Organizations
(Calling for Reports)
Article 153The Commission may call for a certified personal information protection organization to report on its certified services, to the extent necessary to implement the provisions of Section 5 of Chapter IV.
(Orders)
Article 154The Commission may order a certified personal information protection organization to improve a method of rendering certified services, alter personal information protection guidelines, or take any other necessary measures, to the extent necessary to implement the provisions of Section 5 of Chapter IV.
(Rescinding Certification)
Article 155(1)If a certified personal information protection organization falls under one of the following items, the Commission may rescind the certification:
(i)the organization has led to falling under Article 48, item (i) or item (iii);
(ii)the organization has become unconformable to one of the items of Article 49;
(iii)the organization has violated the provisions of Article 55;
(iv)the organization disobeys an order under the preceding Article;
(v)the organization has received a certification under Article 47, paragraph (1), or a certification of alteration under Article 50, paragraph (1) by wrongful means.
(2)When having rescinded a certification pursuant to the provisions of the preceding paragraph, the Commission must announce to the public to that effect.
Subsection 3 Monitoring of Administrative Entities
(Requests for Submission of Materials and Firsthand Inspection)
Article 156If the Commission finds it necessary for smooth application of the provisions of the preceding Chapter, the Commission may request an administrative organ's head or administrative entity (excluding the President of the Board of Audit; hereinafter the same applies in this Subsection) to submit materials on and explain the state of implementation concerning the handling of personal or other related information by an administrative entity, or may have its employees conduct firsthand inspection.
(Guidance and Advice)
Article 157If the Commission finds it necessary for smooth application of the provisions of the preceding Chapter, the Commission may give necessary guidance and advice to an administrative organ's head or administrative entity concerning the handling of personal or other related information by an administrative entity.
(Recommendations)
Article 158If the Commission finds it necessary for smooth application of the provisions of the preceding Chapter, the Commission may give recommendations to an administrative organ's head or administrative entity concerning the handling of personal or other related information by an administrative entity.
(Requests for Reports on Measures Taken Based on Recommendations)
Article 159When the Commission gives recommendations to an administrative organ's head or administrative entity pursuant to the provisions of the preceding Article, the Commission may request that head or entity to report on measures that they have taken based on the recommendations.
(Restriction on the Exercise of Authority by the Commission)
Article 160In light of the purpose of the provisions of Article 149, paragraph (1), the Commission is not to exercise its authority when an administrative organ's head or administrative entity provides personal or other related information to a person set forth in one of the items of Article 57, paragraph (1) (limited to the case in which the person handles personal or other related information for the purpose specified in those items).
Section 3 Service of Documents
(Document to be Served)
Article 161(1)For a requirement to submit a report or material under Article 146, paragraph (1), a recommendation under Article 148, paragraph (1), an order under paragraph (2) or paragraph (3) of that Article, a call for a report under Article 153, an order under Article 154, or a rescission under Article 155, paragraph (1), a document specified by Order of the Personal Information Protection Commission must be served.
(2)For an order under Article 148, paragraph (2) or paragraph (3), or Article 154, or a notice under Article 15, paragraph (1) or Article 30 of the Administrative Procedure Act (Act No. 88 of 1993) relating to a rescission under Article 155, paragraph (1), a document referred to in Article 15, paragraphs (1) and (2) or Article 30 of that Act must be served. In this case, the provisions of Article 15, paragraph (3) of that Act (including as applied mutatis mutandis pursuant to Article 31 of that Act following the deemed replacement of terms) do not apply.
(Application, Mutatis Mutandis, of the Code of Civil Procedure Concerning Service of Documents)
Article 162The provisions of Article 99, Article 101, Article 103, Article 105, Article 106, Article 108, and Article 109 of the Code of Civil Procedure apply mutatis mutandis to the service under the preceding Article. In this case, the term "court execution officer" in Article 99, paragraph (1) of the Code is deemed to be replaced by "official of the Personal Information Protection Commission", and the terms "presiding judge" in Article 108 of the Code and the term "court" in Article 109 of the Code are deemed to be replaced by "Personal Information Protection Commission".
(Service by Publication)
Article 163(1)The Commission may effect service by publication in the following cases:
(i)the address or residence of the person to be served or the place where service is to be effected is unknown;
(ii)in cases of service that would be effected in a foreign country (meaning a country or region located outside the territory of Japan; the same applies hereinafter), the Commission finds that it is impossible to follow the provisions of Article 108 of the Code of Civil Procedure as applied mutatis mutandis pursuant to the preceding Article following the deemed replacement of terms, or it is impossible to effect service even if the Commission follows those provisions;
(iii)even after six months have elapsed since a commission was issued to the competent government agency of a foreign country pursuant to the provisions of Article 108 of the Code of Civil Procedure as applied mutatis mutandis pursuant to the preceding Article following the deemed replacement of terms, no document that certifies that the agency has effected service has been sent.
(2)A posting to the effect that the documents to be served will be delivered at any time to the person to be served is made on the notice board of the Commission to effect service by publication.
(3)Service by publication becomes effective once two weeks have elapsed since the date on which the posting under the preceding paragraph was commenced.
(4)Regarding service by publication in lieu of service to be made in a foreign country, the period referred to in the preceding paragraph is six weeks.
(Using Electronic Data Processing Systems)
Article 164When, pursuant to Article 7, paragraph (1) of the Act, an official of the Commission uses an electronic data processing system prescribed in Article 6, paragraph (1) of the Act on the Promotion of Utilizing Information and Communications Technology in Administrative Procedures (Act No. 151 of 2002) for administrating affairs related to a disposition notice, etc. prescribed in Article 3, item (ix) of that Act for which a document under Article 161 of this Act is to be served, the official must use that electronic data processing system to record the particulars of the service under Article 109 of the Code of Civil Procedure as applied mutatis mutandis pursuant to Article 162, in a file that is stored on a computer (including input or output device) used by the Commission, instead of preparing and submitting a document that states those particulars.
Section 4 Miscellaneous Provisions
(Public Announcement of the Status of Enforcement)
Article 165(1)The Commission may request an administrative organ's head or administrative entity to report on the status of enforcement of this Act.
(2)Each year the Commission is to compile reports referred to in the preceding paragraph and make a summary of those reports public.
(Requests for Necessary Information by a Local Government)
Article 166(1)When a local government finds it necessary for ensuring the proper handling of personal information by a local government organ, a local incorporated administrative agency or a business, the local government may request the Commission to provide it with necessary information or technical advice.
(2)When requested pursuant to the provisions of the preceding paragraph, the Commission is to provide necessary information or technical advice.
(Notification When Local Ordinances are Prescribed)
Article 167(1)When the head of a local government has prescribed the local ordinance pursuant to the provisions of this Act, that head must notify the Commission of this and the content of that ordinance pursuant to Order of the Personal Information Protection Commission without delay.
(2)When a notification under the preceding paragraph has been given, the Commission must disclose the matters relating to that notification through the use of the Internet or other appropriate means.
(3)The provisions of the preceding two paragraphs apply mutatis mutandis to any alteration to matters relating to the notification under paragraph (1).
(Reports to the Diet)
Article 168The Commission must annually report to the Diet through the Prime Minister on the current status of administering function under the jurisdiction, and disclose its summary.
(Establishment of the Information Center)
Article 169The Commission is to establish a comprehensive information center for ensuring the smooth implementation of the provisions of this Act.
(Affairs Administered by a Local Government)
Article 170Administrative affairs under the Commission's authority prescribed in this Act or under an authority that has been delegated to the competent minister for the business or to the Commissioner of the Financial Services Agency pursuant to the provisions of Article 150, paragraph (1) or paragraph (4) may be managed by the head of a local government or other executive agency as prescribed by Cabinet Order.
Chapter VII Miscellaneous Provisions
(Scope of Application)
Article 171This Act also applies in those cases in which, in relation to supplying a good or service to a person in Japan, a business handling personal information, a business handling pseudonymized personal information, a business handling anonymized personal information, or a business handling information related to personal information handles the personal information by which that person in Japan is identifiable, information related to personal information that is to be acquired as that personal information, or pseudonymized personal information or anonymized personal information that has been prepared by using that personal information, in a foreign country.
(Information Provision to the Foreign Enforcement Authority)
Article 172(1)The Commission may provide the foreign authority enforcing foreign laws and regulations equivalent to this Act (hereinafter referred to as the "foreign enforcement authority" in this Article) with information that the Commission finds as contributing to their fulfilling the duties (limited to those equivalent to the Commission's duties prescribed in this Act; the same applies in the following paragraph).
(2)Concerning the information provision under the preceding paragraph, appropriate measures must be taken so that the information is neither used for any purpose other than for the foreign enforcement authority's fulfilling their duties nor used for a foreign criminal case investigation (limited to the one conducted after the criminal facts subject to the investigation have been specified) or adjudication (hereinafter referred to as an "investigation or adjudication") without consent under the following paragraph.
(3)When having received a request from the foreign enforcement authority, the Commission may consent that the information it provided pursuant to paragraph (1) be used for a foreign criminal case investigation or adjudication in connection with the request except cases falling under one of the following items:
(i)a crime subject to the criminal case investigation or adjudication in connection with the request is a political crime, or the request is found to have been made for the purpose of conducting the investigation or adjudication into a political crime;
(ii)an act relating to the crime that is subject to a criminal case investigation or adjudication connected with the request, if it were committed in Japan, is not to constitute a criminal offense according to the laws and regulations in Japan;
(iii)there is no assurance that the requesting country will accept the same kind of request from Japan.
(4)If the Commission gives the consent referred to in the preceding paragraph, the Commission must acquire the Minister of Justice's confirmation that the relevant case does not fall under item (i) and item (ii) of that paragraph, and the Minister of Foreign Affairs' confirmation that the relevant case does not fall under item (iii) of that paragraph.
(Honest Implementation of International Agreements)
Article 173In the enforcement of this Act, care must be taken not to preclude the honest implementation of treaty and other international agreement which Japan has concluded, and established international law must be complied with.
(Communication and Cooperation)
Article 174The Prime Minister and the head of an administrative organ related to the implementation of this Act (excluding the President of the Board of Audit) must closely communicate and cooperate with one another.
(Delegation to Cabinet Order)
Article 175Beyond what is provided for in this Act, Cabinet Order prescribes matters necessary to implement this Act.
Chapter VIII Penal Provisions
Article 176If an employee or former employee of an administrative entity, a person engaged in or formerly engaged in duties prescribed in the items of Article 66, paragraph (2) or in entrusted duties under Article 73, paragraph (5) or Article 121, paragraph (3), or a staffing agency worker or former staffing agency worker that handles personal information, pseudonymized personal information or anonymized personal information in an administrative entity. provides other persons with a personal information file (including a personal information file all or part of which has been reproduced or processed) relating to Article 60, paragraph (2), item (i) that contains confidential information on individuals without justifiable grounds, that person is subject to imprisonment with work for not more than two years or to a fine of not more than 1,000,000 yen.
Article 177A person who has divulged or misappropriated a secret in violation of the provisions of Article 143 is subject to imprisonment with work for not more than two years or to a fine of not more than 1,000,000 yen.
Article 178If an order under Article 148, paragraph (2) or paragraph (3) is violated, the person who has committed the violation is subject to imprisonment with work for not more than one year or to a fine of not more than 1,000,000 yen.
Article 179If a business handling personal information (or its officer, representative or administrator if it is a corporation (including an organization without legal personality that has made provisions for a representative or manager; the same applies in Article 184, paragraph (1))), its employee, or a person who used to be that business or employee has provided or misappropriated a personal information database or the equivalent (including a personal information database or the equivalent all or part of which has been reproduced or processed) that they handled in the course of their business for the purpose of seeking their own or a third party's illegal profits, they are subject to imprisonment with work for not more than one year or to a fine of not more than 500,000 yen.
Article 180If a person prescribed in Article 176 provides other persons with or misappropriates personal information an administrative entity holds that the person has acquired in the course of their trade, for their own or a third party's illegal profits, that person is subject to imprisonment with work for not more than one year or to a fine of not more than 500,000 yen.
Article 181An employee of an administrative entity who, by abusing that authority, acquires documents, drawings, or electronic or magnetic records containing confidential information on individuals for exclusive use for any purpose other than that employee's duties, is subject to imprisonment with work for not more than one year or to a fine of not more than 500,000 yen.
Article 182In cases that fall under one of the following items, the person who has committed the violation is subject to a fine of not more than 500,000 yen:
(i)a person failed to submit a report or material under Article 146, paragraph (1); submitted a false report or material; failed to answer a question posed by the staff concerned; gave an false answer to a question; or refused, precluded, or evaded an inspection;
(ii)a person failed to submit a report under Article 153, or submitted a false report.
Article 183The provisions of Article 176, Article 177 and Articles 179 through 181 apply to a person who has committed an offense under these Articles outside of Japan.
Article 184(1)If a representative of a corporation, or an agent, employee or other worker of a corporation or person has committed a violation set forth in the following items in relation to the corporation or person's business, in addition to the offender being punished, the corporation is subject to a fine set forth in those items, and the person is subject to a fine set forth in the respective Articles.
(i)Articles 178 and 179: a fine of not more than 100 million yen;
(ii)Article 182: a fine set forth in that Article.
(2)If the provisions of the preceding paragraph apply to an organization without legal personality, its representative or administrator represents that organization regarding an act of litigation, and the provisions of laws on criminal proceedings in the cases in which a corporation is a defendant or suspect apply mutatis mutandis.
Article 185A person falling under one of the following items is subject to a civil fine of not more than 100,000 yen:
(i)a person who has violated the provisions of Article 30, paragraph (2) (including as applied mutatis mutandis pursuant to Article 31, paragraph (3)) or Article 56;
(ii)a person who has failed to submit a notification or submitted a false notification under Article 51, paragraph (1);
(iii)a person who has had personal information an administrative entity holds disclosed based on a decision to disclose as prescribed in Article 85, paragraph (3) by deception or other wrongful means.
Appended Table 1
Name
|
Legal basis
|
Okinawa Institute of Science and Technology Graduate University
|
Okinawa Institute of Science and Technology Graduate University Act (Act No. 76 of 2009)
|
The Okinawa Development Finance Corporation
|
Okinawa Development Finance Corporation Act (Act No. 31 of 1972)
|
Organization for Technical Intern Training
|
The Act on Proper Technical Intern Training and Protection of Technical Intern Trainees (Act No. 89 of 2016)
|
Japan Bank for International Cooperation
|
Japan Bank for International Cooperation Act (Act No. 39 of 2011)
|
Japan Finance Corporation
|
Japan Finance Corporation Act (Act No. 57 of 2007)
|
Nippon Export and Investment Insurance
|
Trade and Investment Insurance Act (Act No. 67 of 1950)
|
Nuclear Damage Compensation and Decommissioning Facilitation Corporation
|
Nuclear Damage Compensation and Decommissioning Facilitation Corporation Act (Act No. 94 of 2011)
|
National University Corporation
|
National University Corporation Act (Act No. 112 of 2003)
|
Inter-University Research Institute Corporation
|
|
Bank of Japan
|
Bank of Japan Act (Act No. 89 of 1997)
|
Japan Legal Support Center
|
Comprehensive Legal Support Act (Act No. 74 of 2004)
|
Promotion and Mutual Aid Corporation for Private Schools of Japan
|
Act on the Promotion and Mutual Aid Corporation for Private Schools of Japan (Act No. 48 of 1997)
|
Japan Racing Association
|
Japan Racing Association Act (Act No. 205 of 1954)
|
Japan Pension Service
|
Japan Pension Organization Act (Act No. 109 of 2007)
|
Agricultural and Fishery Co-operative Savings Insurance Corporation
|
Agricultural and Fishery Cooperation Savings Insurance Act (Act No. 53 of 1973)
|
The Open University of Japan Foundation
|
Act on the Open University of Japan (Act No. 156 of 2002)
|
Deposit Insurance Corporation of Japan
|
Deposit Insurance Act (Act No. 34 of 1971)
|
Appended Table 2
Name
|
Legal basis
|
Okinawa Institute of Science and Technology Graduate University
|
Okinawa Institute of Science and Technology Graduate University Act
|
The Okinawa Development Finance Corporation
|
Act on General Rules for Incorporated Administrative Agency
|
National University Corporation
|
|
Inter-University Research Institute Corporation
|
|
National Hospital Organization, Incorporated Administrative Agency
|
Act on the National Hospital Organization, Incorporated Administrative Agency (Act No.191 of 2002)
|
Japan Community Health Care Organization, Incorporated Administrative Agency
|
Act on Japan Community Health Care Organization, Incorporated Administrative Agency (Act No.71 of 2005)
|
The Open University of Japan Foundation
|